A major security incident has shaken the Web3 and DeFi community, as one participant of the WLFI token sale reported losing their assets through a sophisticated MetaMask wallet hack. According to reports, attackers exploited a delegated contract vulnerability linked to EIP-7702 after gaining access to a leaked private key. The stolen tokens, obtained during a private sale of WLFI, were drained almost instantly once a small amount of Ethereum was sent to the compromised address.
The cybersecurity firm SlowMist has confirmed the attack vector, describing it as a known scheme leveraging delegate functionality in EIP-7702. Experts explained that once the hackers had the victim’s private key, they injected a malicious delegated contract into the wallet. This contract allowed them not only to withdraw WLFI tokens but also to intercept any Ethereum sent to the account to cover gas fees. In essence, the compromised wallet became a direct funnel for attackers, ensuring continuous theft as long as assets were sent to it.
At the technical level, EIP-7702 introduces new execution-layer functionality, enabling user wallets to temporarily behave like smart contract addresses. This design was initially proposed by Ethereum co-founder Vitalik Buterin as part of upgrades tied to EIP-4844, which expands the role of smart accounts. While the upgrade promises greater flexibility for users, it also introduces a new attack surface that hackers are beginning to exploit aggressively.
The method used in this case highlights the risks tied to private key exposure. Once the attacker possesses the private key, they can alter the wallet’s delegated settings. Any subsequent interaction with contracts that require gas costs results in an automatic transfer of ETH and tokens to the attacker’s address. This creates a devastating cycle where even minimal activity on the wallet leads to instant losses.
The timing of the attack is particularly significant. On August 23, 2025, World Liberty Financial announced that its WLFI token would launch on Ethereum’s mainnet. The incident raises concerns about investor security, especially as WLFI prepares for broader adoption. With the rise of innovative token standards and execution upgrades, the balance between functionality and security remains delicate.
In conclusion, the WLFI token theft demonstrates how emerging Ethereum proposals like EIP-7702 can be weaponized when combined with poor key management practices. While the upgrade itself is not inherently malicious, it highlights the urgent need for better wallet security, stronger private key protections, and enhanced auditing of delegated contracts. As Ethereum evolves, the community must stay vigilant to ensure innovations do not open doors to widespread exploitation.
