Security monitoring firm SlowMist has reported a significant exploit involving the recently implemented EIP-7702 standard, resulting in the theft of 1,988.5 QNT. The breach, which occurred on April 29, 2026, targeted a vulnerable reserve pool account, leading to a total financial loss estimated at 54.93 ETH. This incident highlights emerging security risks associated with new Ethereum Improvement Proposals that allow Externally Owned Accounts (EOAs) to temporarily adopt smart contract capabilities.
Technical Breakdown of the EIP-7702 Exploitation
The root cause of the incident stems from the way administrative permissions were managed within the QNT reserve pool. According to on-chain data, the administrator identity was held by an EOA address. Under the EIP-7702 mechanism, this address delegated its code execution to a BatchExecutor contract. EIP-7702 is designed to allow traditional wallets to act as smart accounts during a single transaction transaction, providing features like batching.
The vulnerability was introduced when the BatchExecutor designated a permissionless BatchCall contract as an authorized caller. Security analysts identified the following critical flaws:
- The BatchCall.batch() function lacked essential permission checks.
- The function was completely open to external calls, allowing any user to trigger it.
- The lack of access control created an arbitrary call vulnerability, granting the attacker the ability to execute commands on behalf of the administrator.
Impact on Asset Reserves and Security Implications
By exploiting the open nature of the BatchCall function, the attacker was able to masquerade as the authorized administrator. This unauthorized access allowed for the withdrawal of 1,988.5 QNT directly from the reserve pool. SlowMist’s security team noted that the use of BatchExecutor without rigorous validation of the sub-contracts it interacts with remains a high-risk configuration for high-value pools.
A malicious transaction was detected exploiting a vulnerable EIP-7702 account, causing the QNT reserve pool to lose 1,988.5 QNT. The root cause is that the administrator identity... delegated its code to a BatchExecutor contract... leading to an arbitrary call vulnerability.
The incident serves as a cautionary example for developers utilizing Ethereum's account abstraction features. While EIP-7702 enhances user experience by allowing batch transactions and sponsored gas, it requires stringent security audits for the contracts being delegated. As of the time of reporting, the stolen funds, valued at approximately 54.93 ETH, have been tracked through the blockchain, and further monitoring of the attacker's wallet is ongoing to identify potential movements to exchanges or mixers.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.