EIP-7702 Vulnerability Exploited: $280K in ETH Funneled Through Tornado Cash

Security researchers at CertiK have flagged a critical incident involving an exploiter who successfully transferred 95 ETH—equivalent to approximately $280,000 USD based on recent valuations—into Tornado Cash via a sophisticated contract vulnerability.

The EIP-7702 Delegation Flaw

The attack centered on an uninitialized delegate contract related to EIP-7702, Ethereum’s new delegation standard. By leveraging this initialization gap, the exploiter gained unauthorized ownership of the delegate address, effectively bypassing intended security controls. This ownership transfer proved fatal—it allowed the attacker to siphon all accumulated funds from the compromised address into the privacy mixer.

How the Attack Unfolded

The sequence was straightforward but devastating. The uninitialized state of the EIP-7702 delegate contract created an ownership vacuum. The exploiter filled this gap, obtaining complete control over the contract. From this vantage point, they executed a full fund withdrawal, routing 95 ETH into Tornado Cash to obscure the transaction trail.

Ethereum Security Implications

This incident underscores a critical risk in newly deployed contract standards. EIP-7702, while introducing powerful delegation capabilities to Ethereum, requires meticulous initialization procedures. Any gap in contract setup—whether intentional or accidental—can expose substantial amounts of user capital to extraction attacks. The routing through Tornado Cash complicates fund recovery efforts, as the transaction chain becomes difficult to trace.

What This Means for Users

Developers deploying EIP-7702 delegate contracts must treat initialization as non-negotiable. The $280K loss serves as a stark reminder that protocol implementation details can have enormous financial consequences. Audits and security reviews before mainnet deployment are no longer optional.