WLFI Token Holders Targeted by EIP-7702 Phishing Exploit

TLDR

• WLFI tokenholders are being targeted by hackers using an EIP-7702 phishing exploit
• The attack requires leaked private keys and pre-plants malicious contracts in victim wallets
• Many users reported losing tokens immediately after receiving them
• The Donald Trump-backed token launched with a 24.66 billion total supply
• WLFI team warns users to be cautious of scams and only use official email support

World Liberty Financial (WLFI) tokenholders are falling victim to a sophisticated phishing attack that exploits Ethereum’s recent EIP-7702 upgrade, according to security expert Yu Xian, founder of SlowMist.

The attack targets users who have had their private keys compromised through phishing attempts. Once hackers obtain these keys, they pre-plant malicious delegate smart contracts into victims’ wallets.

When users deposit funds or attempt to transfer tokens, the hackers quickly drain the accounts. This exploit takes advantage of features introduced in Ethereum’s Pectra upgrade from May, which allows external accounts to temporarily function like smart contract wallets.

“Encountered another player whose multiple addresses’ WLFI were all stolen. Looking at the theft method, it’s again the exploitation of the 7702 delegate malicious contract, with the prerequisite being private key leakage,” Xian posted on X.

The Donald Trump-backed World Liberty Financial token began trading Monday with a total supply of 24.66 billion tokens. In the days leading up to the launch, reports of token theft started emerging.

How the Exploit Works

One X user reported on August 31 that their friend had WLFI tokens drained after transferring Ether into their wallet. Xian confirmed this was a classic example of the EIP-7702 phishing exploit.

The attack works by first compromising a user’s private key through phishing. The hacker then plants a delegate smart contract in the victim’s wallet. When the user attempts to transfer tokens or receives new tokens, the malicious contract immediately redirects them to the hacker’s wallet.

“As soon as you try to transfer away the remaining tokens in it, such as these WLFI that were thrown into the Lockbox contract, the gas you input will be automatically transferred away,” Xian explained.

For users with compromised wallets, Xian suggests canceling or replacing the malicious EIP-7702 contract with their own and quickly transferring tokens to a new, secure wallet.

User Reports and Concerns

In WLFI forums, multiple users have shared similar experiences. One user named hakanemiratlas had their wallet hacked months ago and was only able to rescue 20% of their WLFI tokens.

“I managed to transfer only 20% of my WLFI tokens to a new wallet, but it was a stressful race against the hacker. Even sending ETH for gas fees felt dangerous, since it could have been stolen instantly as well,” they wrote.

Another user, Anton, pointed out a major issue with the token drop implementation. The wallet used to join the WLFI whitelist must also be used to participate in the presale.

“The instant the tokens arrive, they will be stolen by automated sweeper bots before we have a chance to move them to a secure wallet,” Anton warned. He requested the WLFI team implement a direct transfer option for tokens to bypass compromised wallets.

The problem affects users who joined the whitelist but later had their wallets compromised, putting them at risk of losing their tokens immediately upon receipt.

Analytics firm Bubblemaps has identified several “bundled clones” – look-alike smart contracts that imitate established crypto projects – targeting WLFI users.

The WLFI team has issued warnings about scams, emphasizing they never contact users via direct messages on any platform. Their only official support channels are through email, and users should verify that communications come from official domains.

The post WLFI Token Holders Targeted by EIP-7702 Phishing Exploit appeared first on Blockonomi.