Falling prices aren’t the only losses World Liberty Financial (WLFI) holders are facing just a day after the token went live for trading.
Hackers are apparently exploiting a loophole tied to Ethereum’s recent Pectra upgrade, draining WLFI tokens through what security firms are calling a “classic EIP-7702 phishing exploit.”
WLFI, the Donald Trump–linked governance token that began trading Monday with a 24.6 billion supply, anchors an ecosystem of branded cards and payment services. After rising to as high as 33.13 cents after its trading debut, the WLFI price has dropped to 24.27 cents, CoinGecko data show.
The attack vector can be traced back to EIP-7702, a feature introduced in May that enables regular wallets to function like smart contract wallets for batch transactions.
While meant to improve user experience, it has become a double-edged sword as attackers can plant a malicious delegate contract inside a compromised wallet. When the victim then deposits ETH or tokens, the contract automatically routes the funds to hacker-controlled addresses.
SlowMist founder Yu Xian flagged the issue on Monday, saying multiple WLFI wallets were drained using the method.
“As soon as you try to transfer away the remaining tokens … the gas you input will be automatically transferred away,” he warned, noting that private key leaks, often through phishing sites, are the typical entry point.
又遇到一位玩家多个地址的 $WLFI 都被盗事件,看了下盗窃手法,又是 7702 delegate 恶意合约利用,前提也是私钥泄露,黑客在目标钱包地址上提前埋伏好恶意的 7702 delegate 地址,之后将目标地址所有 ETH 及价值 token(比如这里是 $WLFI)转走,一点渣渣都不剩,如果用户转入 ETH 当… https://t.co/YyVvMPwaGM
— Cos(余弦)😶🌫️ (@evilcos) September 1, 2025
Users in WLFI forums describe attempts to rescue their allocations. One investor said they managed to move only 20% of their tokens to a new wallet, with the rest still trapped in a compromised address.
The exploit adds to a rash of scams surrounding the start of trading. Analytics firm Bubblemaps flagged “bundled clones” imitating WLFI contracts, while phishing links have circulated on Telegram and X.
