Ethereum's Pectra upgrade to bring smart contract functionality to wallets as experts debate EIP-3074
Published 1 minute earlier on
Quick Take
- Ethereum developers have set EIP-3074, which brings smart contract-like functionality to wallets, for inclusion in Ethereum’s next upgrade, nicknamed Pectra.
- However, crypto traders have raised security risks around the proposal, which could enable a malicious agent to drain a wallet’s entire contents through a single transaction.
After a wait of nearly four years since its initial proposal, Ethereum ETH
-9.97%
developers have set their sights on including EIP-3074 in Ethereum's next upgrade, nicknamed Pectra, which is expected later this year. EIP-3074 brings a host of user experience improvements to typical wallets by allowing certain functions to be delegated to smart contracts. This enables functionality like approving a large batch of transactions all at once, paying gas in different ERC20 tokens, enhanced security or account recovery, and more. However, the upgrade is still a step away from full account abstraction, as the delegated wallet cannot initiate transactions. "All things considered, teams were in agreement about moving forward in the EIP. 3074 will be included in Pectra," wrote Tim Beiko, protocol support lead at the Ethereum Foundation, in a post on X. However, developers have also flagged that EIP-3074 enables a new vulnerability: a single malicious transaction has the capability of draining a user's entire wallet through a batched transaction. While the prospect appears terrifying, some experts have reassured users that good wallet design can help eliminate the potential risk. "I’m not aware of a consumer wallet today that is vulnerable to this [risk]. That was an early research audit task," wrote Dan Finlay, co-founder of MetaMask, in a post on X. "All a wallet has to do to eliminate this risk is to disallow blind signing opaque hashes, and also not allow signing with this reserved prefix." "[The] upside is forcing wallets to improve UX around this such that more actions are recognized as explicitly safe and arbitrary unknown stuff is made to feel super scary," agreed Uniswap founder Hayden Adams. Other developers have expressed qualms with the proposal's latest incarnation since it was modified from the original in order to attract support. One modification makes it so that the account delegation can be revoked, but also means that any authorization is automatically revoked the next time any other transaction is sent. To give an example, while EIP-3074 may allow a user to sign just one transaction in order to log into a Web3 game and buy and sell in-game items, if they were to pause the game and send some crypto to a friend, they'd have to reauthorize the game. The change "Prevents a ton of use cases like standing limit orders and social recovery," wrote Adams. Another change to the proposal restricts its ability to affect multiple chains at once. "The 'chainId' check means that even if you want the same authorization on the same contract across 34 chains you'll have to make a separate signature for every chain," wrote developer Philippe Dumonet in a post on X. Ethereum's Pectra upgrade is expected to be ready late 2024 or early 2025, Beiko told CoinDesk. Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures. © 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.Two Major Caveats
About Author
Zack Abrams is a writer and editor based in Brooklyn, New York. Before coming to The Block, he was the Head Writer at Coinage, a Web3 media outlet covering the biggest stories in Web3. The story he co-reported on Do Kwon won a 2022 Best in Business Journalism award from SABEW. Other projects included a deep dive into SBF's defense based on exclusive documents and unveiling the identity of the hacker behind one of 2023's biggest crypto hacks — so far. He can be reached via X @zackdabrams or email, [email protected].