Slow Fog Monitoring Discovers Malicious Transaction Exploiting EIP-7702 Account Vulnerability, Resulting in 1988.5 QNT Loss from Reserve Pool
Slow Fog monitoring has detected a malicious transaction that exploited the EIP-7702 account vulnerability, leading to a loss of 1988.5 QNT (approximately 54.93 ETH) from the QNT reserve pool.
The core of the attack lies in the fact that the QNT reserve pool administrator is held by an EOA address, which delegated code to the BatchExecutor contract via EIP-7702. The latter opened the BatchCall.batch() function for authorized callers without permission checks, allowing the attacker to make arbitrary calls and steal funds.
In terms of market mechanisms, the attacker directly extracted QNT from the reserve pool through the vulnerability and cashed out, significantly putting pressure on QNT liquidity providers and reserve pool funds. The demand for security audits and protective tools related to EIP-7702 has increased, and the attractiveness of compliant liquidity protocols has risen after the incident.
Source: Public Information
ABAB AI Insight
EIP-7702 is a recent important proposal for Ethereum account abstraction aimed at enhancing EOA flexibility, but this incident exposes the risks of missing permission controls under the delegation mechanism, similar to previous cases of fund losses due to authorization logic vulnerabilities in multiple account abstraction implementations.
In terms of capital pathways, the attacker utilized the publicly accessible BatchCall function without permission checks to execute batch calls, quickly transferring QNT to a personal address for cashing out. The QNT reserve pool is directly exposed due to the administrator EOA delegation design, and the team needs to urgently migrate administrator permissions or suspend related functions.
Similar cases include multiple instances from 2024-2025 where reserve pools were stolen due to improper account abstraction or proxy contract permissions, as well as the reoccurrence of BatchCall-style unrestricted call vulnerabilities in other DeFi projects; the current QNT reserve pool is in an emergency response and permission restructuring phase.
Essentially, this represents a technical substitution: traditional EOA permission management is bypassed by the EIP-7702 account abstraction mechanism, where the delegation contract's pursuit of flexibility neglects strict verification of callers, leading to a temporary concentration of pricing power from protocol security to the attacker, while forcing the entire account abstraction track to accelerate the strengthening of permission boundaries and audit requirements.