Hackers are exploiting a loophole introduced by Ethereum’s Pectra upgrade to drain WLFI tokens from compromised wallets, security researchers and users report. The vulnerability is tied to EIP-7702, a feature designed to let regular wallets act like smart contract wallets for batch transactions.
WLFI — the Donald Trump–linked governance token that began trading on Sept. 1, 2025 with a 24.6 billion supply — surged to as high as 33.13¢ on debut before falling to about 24.27¢, according to CoinGecko data. As the token gained attention, attackers planted malicious delegate contracts in wallets that had already had their private keys or mnemonic phrases exposed through phishing or other compromises.
Once a victim deposits ETH or tokens, the embedded delegate contract can automatically route gas or transferred assets to attacker-controlled addresses. SlowMist founder Yu Xian warned that victims trying to move remaining tokens often see the gas or assets siphoned away during attempted transfers.
WLFI communities have reported partial recoveries — one investor said they moved roughly 20% of their allocation to a new wallet while the remainder stayed trapped — and analytics firm Bubblemaps flagged numerous bundled clones and phishing links impersonating WLFI contracts across Telegram and X.
What holders should do now: immediately stop using exposed wallets; move unaffected assets to a hardware wallet; revoke suspicious delegates and approvals (via Etherscan, Revoke.cash or similar tools); avoid pasting private keys or seeds into websites; and verify contract addresses carefully before interacting.
This incident underscores that protocol upgrades can change attack surfaces. Users and projects should treat new wallet features cautiously and prioritize key hygiene and approval audits.
Source: CoinDesk. Read the original coverage for full details.