
Phishing incidents on the rise—has EigenLayer become hackers’ top target this year?
TechFlow Selected TechFlow Selected

Phishing incidents on the rise—has EigenLayer become hackers’ top target this year?
TVL Just Broke $1 Billion—Already Targeted by Hackers?
Author: Luccy
With the rising narrative around restaking, EigenLayer has become a hot topic within the community. On March 3, EigenLayer's TVL reached 2.931 million ETH, worth approximately $1.0053 billion. This high TVL has drawn attention from hackers; on March 5, @CyversAlerts tweeted that EigenLayer may have become a victim of phishing attacks.
Are EigenLayer Users Facing a New Type of Phishing Attack?
On March 5, @CyversAlerts detected that an address starting with 0xae7ab received 4 stETH from EigenLayer, valued at $14,199.57, suspected to be a phishing victim. It was also noted that multiple victims on the mainnet have signed malicious "queueWithdrawal" transactions.

In response, prominent on-chain investigator ZachXBT expressed skepticism, commenting on Twitter: "Stop spreading fake news because your team can't read block explorers." However, recent incidents confirm that some EigenLayer users have indeed fallen victim to phishing attacks. Yu Xian, founder of SlowMist, also stated that EigenLayer’s contracts have been exploited by hackers.

EigenLayer's Refund Mechanism Becomes Hackers' New Target
Recently, the notorious phishing group Angel Drainer introduced a new attack vector targeting EigenLayer’s "queueWithdrawal" mechanism.
Due to the nature of Ethereum staking, transaction approvals differ from standard ERC20 "approve" methods. Exploiting this difference, Angel Drainer specifically crafted an exploit targeting the queueWithdrawal (0xf123991e) function in the EigenLayer Strategy Manager contract.
The core of the attack lies in tricking users into signing a "queueWithdrawal" transaction, which effectively authorizes malicious actors ("withdrawers") to withdraw staking rewards from EigenLayer to attacker-controlled addresses. In simple terms, once you approve such a transaction on a phishing site, your staking rewards in EigenLayer will belong to the attacker.
To make detection more difficult, attackers use the "CREATE2" mechanism to route these withdrawals to empty addresses. As this is a novel approval method, most security providers or internal tools fail to parse and validate this type of approval, often marking such transactions as benign.
Currently, with official authorization, slashing queued withdrawals via slashQueuedWithdrawal within 15 days can recover lost assets.

In EigenLayer, there are two types of restaking: native ETH restaking and LST restaking. During the initial staking process, EigenLayer creates an EigenPod contract for managing restaked funds, and upon withdrawal, funds are first returned to the EigenPod contract.
Native Ethereum staking requires not only creating an EigenPod contract but also running a Beacon Chain node service. Since ETH is held in the Beacon Chain, withdrawals require both user initiation and cooperation from the node service provider to move funds out of the Beacon Chain—meaning both parties must agree for withdrawal to proceed.
However, with LST restaking, funds are directly deposited into EigenLayer’s EigenPod contract. This means users engaging in LST restaking could potentially suffer losses due to risks associated with EigenLayer’s contracts—precisely the vulnerability being targeted in this phishing campaign.
EigenLayer TVL Surpasses $10 Billion
EigenLayer raised $64.5 million across two funding rounds, led by Blockchain Capital, Polychain Capital, and Ethereal Ventures, with participation from Hack VC, Finality Capital Partners, Coinbase Ventures, and IOSG Ventures.
Moreover, EigenLayer’s TVL continues to grow. According to DefiLlama data, at the time of writing, its TVL stands at $10.4 billion.

It is precisely this over-$10-billion TVL that has attracted phishing groups. Regarding phishing risks and community concerns, Yu Xian of SlowMist emphasized that neither opening a phishing URL nor connecting to a phishing website would result in private key theft.

Risk accompanies reward. While strong funding backing and a $10 billion TVL present opportunities for users, they also attract hackers. As awareness of restaking security risks grows, BlockBeats reminds readers to carefully evaluate restaking projects to avoid losses.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














