New Tool Flags Delegate Contracts That Automatically Drain Wallets, Enhancing Ethereum Security

Crypto market maker Wintermute has introduced a new tool to combat a rising threat in the Ethereum ecosystem. The tool, called “CrimeEnjoyor,” is designed to detect and warn users about malicious smart contracts that exploit a recently introduced Ethereum feature to drain funds from compromised wallets.

Announced in a May 30 post on X, the initiative aims to inject human-readable warnings into verified malicious contracts, thereby helping users recognize and avoid wallet-draining scams.

While EIP-7702 brings new convenience, it also introduces new risks

Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code. These are sweepers, used to automatically drain incoming ETH from compromised… pic.twitter.com/xHp7zr4hC9

— Wintermute (@wintermute_t) May 30, 2025

Malicious Use of EIP-7702

The primary focus of Wintermute’s tool is on contracts abusing Ethereum Improvement Proposal 7702 (EIP-7702) — a feature introduced in the Pectra upgrade on May 7 during epoch 364032. EIP-7702 allows users to temporarily delegate control of their wallet to smart contracts, enabling advanced operations. However, Wintermute warns that this capability is being weaponized by attackers to create contracts that automatically “sweep” ETH from compromised addresses.

Wintermute’s research indicates that over 97% of all EIP-7702 delegations were made to contracts using identical bytecode, suggesting that a single template is being widely copied and reused across multiple attacks.

“These are sweepers, used to automatically drain incoming ETH from compromised addresses,” the firm stated.

CrimeEnjoyor: Code That Warns Users

To counteract this trend, Wintermute developed CrimeEnjoyor, which works by reverse-engineering the Ethereum Virtual Machine (EVM) bytecode of malicious contracts into Solidity, the human-readable programming language used for Ethereum. Once decoded, the team publicly verified the contracts on blockchain explorers such as Etherscan and embedded warnings directly into the code.

One of the warnings reads:

“This contract is used by bad guys to automatically sweep all incoming ETH. DO NOT SEND ANY ETH.”

By labeling these verified contracts with such messages, Wintermute hopes to alert users and discourage interactions with these exploitative contracts.

Wintermute’s post humorously noted, “This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations. It’s funny, bleak, and fascinating at the same time.”

Optional Feature, but Growing Risk

EIP-7702 is an opt-in feature, meaning that it is not necessary for basic Ethereum transactions such as ETH transfers. However, the lack of standardized verification tools for these contracts makes it difficult to distinguish legitimate use from exploitation, particularly for less-experienced users.

Wintermute emphasized the importance of building more transparency and labeling infrastructure around these types of contracts:

“With more compromised contracts tagged, more activity can be surfaced and more users can be protected.”

The urgency for such tools is clear. According to blockchain security firm Scam Sniffer, one Ethereum user lost approximately $146,550 on May 23 after unknowingly signing a malicious batch transaction that used EIP-7702 to siphon funds.

Pectra’s Broader Impacts: EIP-725 and EIP-7691

The Pectra upgrade, which included EIP-7702, also introduced two other significant changes to the Ethereum protocol:

• EIP-725: Increased the validator staking limit from 32 ETH to 2,048 ETH, making it easier for large-scale validators to manage their operations more efficiently. This change is especially relevant for institutional staking services and node operators with significant capital.

• EIP-7691: Enhanced Ethereum’s scalability by increasing the number of data blobs per block, a feature particularly beneficial for Layer 2 solutions. This aims to lower transaction fees and improve throughput for decentralized applications built on Ethereum rollups.

These upgrades demonstrate Ethereum’s ongoing efforts to balance scalability, security, and usability — but also show how new attack surfaces can emerge when powerful new features are introduced without corresponding safeguards.

The Path Forward: Labeling and Education

Wintermute’s move to proactively label harmful contracts represents a broader shift toward community-driven security enhancements. While Ethereum’s permissionless architecture allows for rapid innovation, it also necessitates increased responsibility among both developers and users.

Experts argue that blockchain explorers, wallet providers, and DeFi platforms must collaborate more closely to ensure that malicious contracts are clearly identified and flagged, ideally in real-time.

In the meantime, users are encouraged to:

• Verify the source code and contract origin before interacting

• Use wallets with built-in scam detection features

• Avoid signing delegation permissions unless the recipient contract is well-vetted and trusted

Conclusion

Wintermute’s release of CrimeEnjoyor is a creative and impactful step toward mitigating wallet-draining attacks stemming from the misuse of EIP-7702. By inserting public warnings into verified malicious contracts, the tool not only protects users but also adds a layer of transparency and accountability to Ethereum’s rapidly evolving smart contract ecosystem.

As Ethereum continues to grow in complexity and capability, initiatives like this highlight the need for ongoing vigilance and collaborative solutions to keep users safe in an increasingly sophisticated threat landscape.