Ethereum's Pectra upgrade was one of the most significant changes to the network in years, especially for how people use wallets. It introduced some long-overdue improvements that make everyday transactions easier. But along with those changes come new risks—ones that users should take seriously.

One of the first things people will notice is that you no longer have to go through the extra “approve” step. In the past, if you wanted to trade a token on a decentralized exchange, you had to send a separate approval transaction before doing anything else. It always felt a bit clunky and confusing, especially if you were new to it. Nearly everyone, including all of Ethereum’s competitors, has criticized how awkward that system was.

With Pectra, that extra step can now be bundled into a single transaction, making interactions much smoother. The approve function still exists but becomes less visible to users in typical workflows.

💡
The approve function allows a smart contract to transfer up to a specified amount of tokens from your wallet. While essential for DeFi apps, it has been criticized for being confusing and posing security risks if misused.

Another major improvement is that regular wallets can now behave more like smart wallets. This opens up a lot of new possibilities. For example, you can now pay gas fees using tokens other than Ether, or bundle several actions—like approving, swapping, and signing—into one transaction. That might sound small, but it makes a big difference in day-to-day use.

The upgrade also introduces features like sponsored transactions, where another party can cover your gas fees. That could help onboard new users who don’t yet have Ether. Plus, it adds support for things like subscriptions or other automated tasks. What is nice is that all of these new features work with your existing wallet—no need to create a new one. Wallet apps will need a bit of time to catch up, but these changes should start rolling out soon.

Smarter Wallets, Smarter Attacks

Now for the downside—and it is a serious one. The same upgrade that improves usability also makes wallet hacks potentially more dangerous. In the past, draining a wallet usually required the user to send a transaction. That at least gave people a moment to pause.

But with Pectra, a hacker can potentially take control of your wallet just by getting you to sign an off-chain message. These messages don’t cost gas and don’t appear on-chain, so users often don’t think twice before signing them.

💡
Ethereum lets users sign off-chain messages with their private keys to securely prove identity or ownership without sending a transaction or paying gas fees. This is often used in dApps for login or approval, and the signature can be verified using the public address.

That is a problem. A malicious signature can authorize actions that allow an attacker to control your wallet's assets, as if interacting with a smart contract. At that point, they can move your tokens freely, just like a smart contract would. Even hardware wallets are not safe if you sign one of these malicious messages. The device might be secure, but the signature gives permission anyway.

So what can be done? First, users need to be extra cautious. If you are ever unsure about what you are signing, don’t do it. And second, wallet developers need to step up fast. That means better warnings, clearer explanations, and smarter security checks. Because unfortunately, attackers will be quick to take advantage of this, and wallets need to stay one step ahead.

Ethereum’s Trillion Dollar Security Initiative: Aiming for Civilization-Scale Trust

In response to the evolving security challenges highlighted by the Pectra upgrade, the Ethereum Foundation has launched today the Trillion Dollar Security (1TS) initiative. This ambitious program seeks to elevate Ethereum's security to a level where it can securely underpin the internet and global economy, surpassing the safety and trustworthiness of traditional systems.

The initiative focuses on three core areas:

  1. Comprehensive Security Mapping: Assessing vulnerabilities across Ethereum's entire technology stack, including user experience, wallet security, smart contract development, infrastructure, and consensus protocols.
  2. Targeted Improvements: Implementing high-priority fixes and investing in long-term projects to address identified security gaps.
  3. Enhanced Communication: Improving how Ethereum's security features are communicated to users, enabling them to better understand and utilize the platform's security measures.

The initiative is led by Fredrik Svantes and Josh Stark, with support from ecosystem stewards such as samczsun, Mehdi Zerouali, and Zach Obront.

Share this article
The link has been copied!