Ethereum Upgrade To Improve Wallets But Unlock New Attacks

Ethereum core developers have locked in EIP-3074 for inclusion in the network’s next major upgrade, Pectra. While the proposal would introduce advanced functionality for regular Ethereum wallets, some onlookers fear EIP-3074 will also make users vulnerable to new exploits.

EIP-3074 was penciled in for Ethereum’s Pectra hard fork during the April 11 All Core Devs Execution call.

The Ethereum Improvement Proposal (EIP) would add greater functionality to externally owned account (EOA) wallets by allowing users to delegate control over their wallet to a smart contract.

On the Github repository for EIP-3047, developers said the primary motivation for the upgrade is enabling “sponsored transactions,” which allow users to pay for fees using an asset other than Ether. They note that it is now common for Ethereum wallets to hold tokens but not possess any Ether, however, some tokens must be converted into Ether in order to pay for gas fees to execute transactions.

“Without Ether to pay for the conversion, it's impossible to convert them,” the repository states. “Sponsored transactions break the circular dependency.”

Tim Beiko from the Ethereum Foundation noted that EIP-3074 has “broad support” from client team teams and core developers. “Teams were in agreement about moving forward in the EIP,” Beiko said. “3074 will be included in Pectra.”

Ethereum community reacts

Many prominent figures within the Ethereum community took to Twitter to celebrate EIP-3074’s inclusion, with Hayden Adams, the founder of Uniswap, describing the proposal as a “monumental upgrade to Ethereum UX.”

0xCygaar, a contributor to Frame, said 3074 overcomes several limitations associated with existing EOA accounts, including the need for separation transactions for token approvals, the inability to perform actions with ETH, and a lack of defense against lost keys.

“[EIP-3074] gives EOAs (normal wallets) smart contract capabilities,” 0xCygaar tweeted. “This includes the ability to do single tx approvals, batch txs, wallet asset recovery, sponsored txs, and more… This could be huge for gaining mass retail adoption.”

However, other onlookers warned that enhanced wallet functionality will come with an increasing in the risks posed by exploits.

“It should allow a scammer to drain your entire wallet with a single off-chain signature,” said Itamar Lesuisse, the co-founder of Argent, a Starknet wallet provider. “I expect this will be a major use case.”

“Downside of EIP-3074 is that now it'll be possible to fully drain an address (all tokens, all NFTs, all DeFi positions...) with only one bad signature,” said 0xngmi from DeFiLlama.

Mudit Gupta, the chief information security officer at Polygon, tweeted that wallets should release a feature allowing users to ban EIP-3074 transactions. “For security reasons, I do not want to expose my cold wallets to [account abstraction] batching,” Gupta said.

0xZodomo, a developer for Delegate, a web3 identity service, similarly warned that wallet drainers will become more powerful as a result of EIP-3074’s implementation. However, they conceded that there is “no good way to avoid” increasing attack surfaces while also shipping UX improvements.

Pectra hard fork

Ethereum’s Pectra hard fork is currently expected to take place towards the end of 2025.

The main upgrade included in Pectra is the introduction of statelessness via Verkle Trees, meaning clients will not need to store Ethereum’s entire state history to validate blocks — reducing the hardware requirements for validators.

Vitalik Buterin, Ethereum’s chief scientist, recently described Verkle Trees as the last remaining “truly significant” upgrade slated to go live on Layer 1 Ethereum. He argued that statelessness will expand the network’s validator ecosystem and further bolster its decentralization.

“I'm really looking forward to Verkle trees,” Buterin tweeted. “They will enable stateless validator clients, which can allow staking nodes to run with near-zero hard disk space and sync nearly instantly… In the long term, running a node will… be very easy to do as a background process on any computer, maybe even a phone, even inside a browser.