Pectra upgrade forks the Ethereum blockchain, introducing new features and vulnerabilities

The Ethereum blockchain forked today for its Pectra code change and introduced a suite of new features, upgrades, and vulnerabilities.

The Ethereum blockchain underwent a planned code change, known as Pectra, which brought a suite of new features, upgrades, and unfortunately, also some vulnerabilities.

This new set of opcodes will be used for an upcoming version of Ethereum Improvement Proposal (EIP) 3074. The proposal aims to introduce a new authorization pattern.

It is an important step towards account abstraction, which is being brought to Ethereum in later phases with further upgrades.

However, some critics say it will open up new phishing attack vectors that could allow an entire user’s account to be stolen if they accidentally delegate control of their key.

pectra pros:>approve spend then swap is deadpectra cons:>signing messages just got a whole lot spicier

Credit: EIP-3074 authors

The authors of EIP-3074, which is part of the Pectra upgrade, are introducing new AUTH and AUTHCALL Ethereum operation codes.

These opcodes will allow the holder of an Ethereum private key to delegate authorization to a smart contract.

The authors of the EIP, which is part of the Pectra upgrade, are introducing new AUTH and AUTHCALL Ethereum operation codes.

These opcodes will allow the holder of an Ethereum private key to delegate authorization to a smart contract.

It is an important step towards account abstraction, which is being brought to Ethereum in later phases with further upgrades.

However, some critics say it will open up new phishing attack vectors that could allow an entire user’s account to be stolen if they accidentally delegate control of their key.

pectra pros:+ approve spend then swap is deadpectra cons:signing messages just got a whole lot spicier

Careful signing Ethereum transactions and messages

According to a post on Binance, the authors of EIP-3074 are trying to calm fears. They claimed they are "unaware" of any wallet that would allow signing of improperly prefixed messages without a user warning.

Transactions use the prefix 0x04, and the authors of the EIP hope that all major Ethereum wallets will put 0x04 messages in a way that will alert the user about their expansive power to authorize multiple withdrawals.

“The caller field in the EIP-3074 signature is very important. A bad caller could steal your funds.”

Today's Pectra fork also added EIP-7702, which is increasing the stakes even higher.

With the power of EIP-7702, a single malicious signature can temporarily delegate someone’s entire account to a third-party smart contract.

If that contract is malicious, it could potentially drain all assets (ETH, tokens, NFTs) in one go.

As opposed to pre-Pectra Ethereum transactions, the possible attack surface for victims is broader with EIP-7702 because externally owned accounts (EOAs) are now exposed to third-party temporary smart contract vulnerabilities.

This temporary delegation of executable code was not a concern before Pectra.

Although warnings are proliferating across social media, there are no reports yet of a successful theft of funds using the new Pectra-enabled attack vector.

Most wallet providers like MetaMask were prepared for Pectra and added prominent warnings for EIP-3074 message signings.