On May 7th, 2025 Ethereum deployed its most recent upgrade, Pectra. While this upgrade creates a new transaction type that increases functionality in a very positive way, it introduces new potential security vulnerabilities for users. The upgrade brings with it the SetCode transaction, type 0x04. This new wallet feature allows users to give another contract broader control over their wallets just by signing a message. Unfortunately, this new functionality opens the door to less risk-prone approaches that attackers can leverage to drain wallets without the need for an on-chain transaction at all. In fact, experts have been warning users to avoid signing messages entirely except for the most extreme of use cases.

Pectra’s focus is on increasing Ethereum’s validator staking cap and improving layer-2 scalability. It does this by raising the limit of data blobs per block to 300, further introducing EIP-7251 and EIP-7691. Recently, the addition of the SetCode transaction – made possible through EIP-7702 – has alarmed many security experts.

The SetCode Transaction and Its Implications

With the SetCode transaction a user can delegate control of their wallet to another contract by signing a message to do so. Harris even noted that any valid delegation signature gained under the old system becomes actionable once you activate Pectra. This means that once that code is deployed, the code could be reused anywhere, opening up a new attack vector.

"If a message includes your account nonce, it’s probably affecting your account directly," - Arda Usman

Usman explained how usual sign-in messages or off-chain attestations do not usually include an account nonce. This is an important distinction for users to realize since a message asking for their nonce could potentially affect their account.

Yehor Rudytsia noted that what’s particularly dangerous about Pectra is that it allows installing arbitrary code on the user space. This process makes their wallet a programmable smart contract. This new capability, though fantastic, is fraught with risk.

Security Vulnerabilities and Risks

Prior to Pectra, wallets were immutable without an on-chain transaction in which the user signed with their private key. Now attackers are able to leverage this new transaction type to take over externally owned accounts (EOAs). Fairly, they can do this without expecting the user to approve an on-chain transaction. Wallets that fail to accurately classify Ethereum transactions, particularly critical transaction type 0x04, are most at risk.

"Pre-Pectra, users needed to send transaction (not sign message) to allow their funds to be moved… Post-Pectra, any operation may be executed from the contract which user approved via SET_CODE," - Yehor Rudytsia

This double-pronged development indicates that hardware wallets can no longer be considered safer by default. The true vulnerability is not the security of the user’s wallet but in the user’s private signature.

"We believe it will be the most popular attack vector regarding these breaking changes introduced by Pectra," - Yehor Rudytsia

User Precautions and Recommendations

In his post, Rudytsia warned users to never sign or commit to messages that they don’t fully understand.

"Users should not sign the messages they do not understand," - Yehor Rudytsia

This would make the new delegation signature formats created by EIP-7702 incompatible with the currently widely adopted EIP-191 and EIP-712 standards. This incompatibility poses serious risks that make it imperative that users assess the fine printed agreement they are signing.

"From now on, users have to carefully validate what they are going to sign," - Yehor Rudytsia

The consequences of signing a malicious message can be severe.

"If done—all the funds are gone in a moment," - Yehor Rudytsia