Environmental Protection Proposal Call for Commission's Attention
The latest Pectra update for Ethereum has brought about significant improvements, making transactions faster and more user-friendly, and opening the door to new use cases in the decentralized economy. However, this evolution comes with its own set of challenges, particularly in the realm of security.
The EIP-7702 update, building on EIP-3074, enables grouped transactions where a contract temporarily or permanently controls an externally owned account (EOA). While this expansion of transaction capabilities is beneficial, it also introduces new attack surfaces, including phishing risks due to contract code execution within EOAs.
To mitigate these risks, it's crucial to incorporate programmable and flexible validation logic. For instance, using ERC-4337 smart contract wallets that support bundling and custom user operation validation can add customizable security layers before transaction execution. This could include multisig confirmations, nonce or replay protections, and signature schemes.
Avoiding low-level call() usage without safeguards is also essential. Low-level calls can lead to reentrancy or unauthorized execution patterns exploited by an attacker if triggered maliciously. Contracts should use well-audited, secure patterns like checks-effects-interactions and reentrancy guards.
Enhanced user awareness and wallet UI improvements may also help. Wallets like MetaMask could show explicit indications when grouped or delegated transactions occur, highlighting potential risks and requiring explicit user approvals or confirmations beyond normal single-sig interactions.
Signature aggregation or multisig wallet use can increase security by requiring multiple parties to approve a grouped transaction, thus reducing the risk from a single compromised key or phishing event.
In summary, improving the security of EIP-7702 grouped transactions hinges on contract-level safeguards, advanced validation protocols from account abstraction standards (e.g., ERC-4337), and user interaction transparency in wallets to address phishing and unauthorized transaction execution risks prevalent with wallets like MetaMask’s expanding capabilities.
It's important to remember that investing in crypto assets is not fully regulated, and may not be suitable for retail investors due to its high volatility. There is a risk of losing the entire amount invested. As such, users should exercise caution when approving grouped transactions, particularly in popular wallets like MetaMask, to avoid potential phishing attacks.
Collaboration between developers, security experts, users, and platforms is fundamental to building a secure and sustainable ecosystem in Ethereum. The evolution of Ethereum must be accompanied by a reinforced security culture and continuous user education, as users are the first line of defense against phishing threats and fraud.
Sources:
[1] Buterin, V. (2021). EIP-7702: Account Abstraction (Account Abstraction). GitHub. https://eips.ethereum.org/EIPS/eip-7702
[2] EIP-4337: Standard for Account Abstraction. (2021). Ethereum Improvement Proposals. https://eips.ethereum.org/EIPS/eip-4337
[3] Wintermute's "CrimeEnjoyor" Tool Alerts Users to Potentially Malicious Ethereum Contracts. (2021). Cointelegraph. https://cointelegraph.com/news/wintermutes-crimeenjoyor-tool-alerts-users-to-potentially-malicious-ethereum-contracts
Technology plays a crucial role in mitigating new attack surfaces introduced by the EIP-7702 update, particularly through the use of ERC-4337 smart contract wallets that incorporate programmable and flexible validation logic. Enhanced user awareness, as seen in wallets like MetaMask, can also help address phishing risks.
In the pursuit of safety in Ethereum transactions, it's essential to ensure collaboration between developers, security experts, users, and platforms, as well as a reinforced security culture and continuous user education, as users are the first line of defense against phishing threats and fraud.
