Essential Ethereum Security: Wintermute’s ‘CrimeEnjoyor’ Tool Fights Wallet Draining Scams

Concerned about losing your crypto? A new tactic targeting Ethereum users is emerging, capable of draining wallets via malicious smart contracts. Fortunately, help is here. Crypto market maker Wintermute has developed a tool to combat this specific threat, aiming to enhance Ethereum security.

Understanding the Wallet Draining Threat on Ethereum

Wintermute has released code named ‘CrimeEnjoyor’. This tool is designed to identify and flag malicious Ethereum contracts. These particular contracts are built to automatically sweep funds from wallets, especially those with compromised private keys. The warning inserted by CrimeEnjoyor within these verified malicious contracts is direct: it states the contract is used by bad actors to drain incoming ETH and explicitly advises users NOT to send any Ether to it.

The method exploited by these contracts leverages a feature introduced in Ethereum’s recent Pectra upgrade: Ethereum Improvement Proposal-7702 (EIP-7702). EIP-7702 allows users to temporarily delegate control of their wallets to smart contracts. While intended for legitimate use cases, malicious actors quickly adapted it for illicit purposes, creating ‘sweeper’ contracts.

Wintermute’s ‘CrimeEnjoyor’ Solution in Action

Wintermute’s research team discovered that a large percentage of EIP-7702 delegations were pointing to identical code snippets. They identified these as the wallet draining ‘sweeper’ contracts. To make their CrimeEnjoyor warning visible, Wintermute reversed the Ethereum Virtual Machine bytecode of these malicious contracts back into human-readable Solidity code and then publicly verified it. This action allows the CrimeEnjoyor warning to appear prominently when someone inspects the contract code on block explorers.

By injecting this warning directly into the verified code of malicious contracts, Wintermute aims to deter users who might interact with them, thus preventing potential crypto scams. The widespread use of this specific malicious bytecode highlights the scale of the problem they are addressing.

EIP-7702 Context and the Need for Transparency

It’s important to note that EIP-7702 is an optional feature. Users are not required to use it for standard Ethereum transactions. While EIP-7702 adds new capabilities to Ethereum, the lack of immediate verification and transparency tools made it difficult to distinguish safe uses from malicious ones, particularly for less experienced users.

Tools like Wintermute CrimeEnjoyor are crucial because they add a layer of transparency and warning. By tagging more compromised contracts, more suspicious activity can be surfaced, and users can be better protected from falling victim to wallet draining attacks. A notable example of this type of attack occurred on May 23rd, where one user lost $146,550 after signing malicious batched transactions leveraging EIP-7702, as reported by Scam Sniffer.

The Pectra upgrade, which included EIP-7702, went live on May 7th. Since then, over 12,000 EIP-7702 transactions have occurred. Pectra also brought other significant changes, including increasing the validator staking limit (EIP-725) and increasing data blobs per block (EIP-7691) to help scale layer 2s and potentially reduce fees. While these upgrades push Ethereum forward, vigilance regarding new attack vectors remains essential.

Conclusion: Bolstering Ethereum Security Against Crypto Scams

Wintermute’s CrimeEnjoyor is a proactive step in the ongoing battle against crypto scams and wallet draining tactics on the Ethereum network. By leveraging transparency and injecting clear warnings into malicious contract code, the tool provides an important layer of defense for users navigating the evolving landscape of Ethereum security. As new features like EIP-7702 are introduced, community efforts like this are vital for educating and protecting users from exploitation.