EIP-7702 Flaw Drains 1,988 QNT From Ethereum Pool

A critical flaw in Ethereum’s EIP-7702 standard has led to the theft of 1,988.5 QNT from a token reserve pool. According to blockchain security firm SlowMist, the stolen funds, worth about 54.93 ETH, highlight risks in how delegated accounts are being configured.

In a recent incident breakdown, SlowMist traced the attack back to a misconfigured account, where admin control was tied to an externally owned address. This exposed a batch execution contract that lacked proper access checks. 

https://twitter.com/SlowMist_Team/status/2049333031371210854?ref_src=twsrc%5Etfw” target=”_blank” rel=”noopener

As a result, the attacker was able to run unauthorized transactions and move the funds. The incident on the Ethereum network highlights ongoing concerns around the safety of newer delegation features.

Delegation design opens critical gaps

Ethereum’s EIP-7702 upgrade, rolled out as part of the Pectra network upgrade, was meant to revolutionize user experience. The proposal allows standard wallets (EOAs) to temporarily attach smart contract code to themselves during a transaction. This enables powerful features like gas sponsorship, transaction batching, and social recovery without requiring users to permanently migrate to a separate smart contract wallet. 

However, as this QNT exploit demonstrates, the temporary “superpowers” granted to EOAs can create catastrophic security gaps if the attached code is flawed. When an account upgrades to a smart account and delegates logic, the embedded contract code executes with full account privileges. If the target contract is misconfigured, the traditional security assumptions of the wallet are bypassed entirely.

Rising pattern of post-Pectra exploits

The QNT drain incident is part of a wider, alarming pattern following Ethereum’s Pectra upgrade, where attackers are taking advantage of delegated account features alongside weak contract design. Security researchers say scams are also evolving, with phishing tactics now using approval signatures to hide malicious actions.

Similar instances that occurred in May 2025 demonstrated the potential of such an attack. For instance, a group named InfernoDrainer was able to use batch transactions to fool users into giving access to tokens, resulting in the loss of over $146,000. Furthermore, attackers on the BNB Smart Chain managed to circumvent transaction validations via delegations.

Researchers at Wintermute have also warned about the scale of the issue. They found that most EIP-7702 delegations were tied to contracts using the same code, many of them built to automate fund theft.

https://twitter.com/wintermute_t/status/1928501765865091400?ref_src=twsrc%5Etfw” target=”_blank” rel=”noopener

The pattern is raising the pressure on DeFi developers to tighten their security postures. As the boundaries between standard wallets and smart contracts blur, rigorous access control checks, explicit permission parameters, and clear UI warnings for users engaging with EIP-7702 authorizations have become mandatory for survival on the network.

Also Read: WLFI Partnered With Crypto Project Linked to Alleged Scam Network