The crypto industry is like the Wild West: developers resemble gunsmiths, while users and attackers compete to see who will master the new weapons first.
On May 7, 2025, the Pectra upgrade was deployed on the Ethereum mainnet. Pectra consists of various proposals, the most discussed of which is EIP-7702, yet another version of account abstraction. EIP-7702 replaced another similar proposal, EIP-3074.
After deployment, EIP-7702 immediately gave news outlets loud headlines about stolen funds and divided the community. Enough time has passed to accumulate a critical mass of incidents, allowing an analysis of the attack vector and conclusions about EIP-7702.
Declared advantages of EIP-7702
EIP-7702 allows externally owned accounts (EOAs) to execute smart contract code, but there are only a few truly valuable scenarios for EOAs:
Bundling transactions into a package, for example: sending several assets within one transaction; sending an asset to multiple addresses; combining approve and transferFrom transactions into one; automatically executing a subsequent operation based on the results of the previous one, and others.Sponsoring gas fees through another account. If a trading platform covers users’ gas costs, this is possible only with wallets featuring smart contract functionality, such as Safe Wallet; EIP-7702 erases this boundary.EIP-7702 can also somewhat enhance security through flexible privilege configuration for a third party in automatic mode. Many people working with DeFi applications, when performing approve, grant the smart contract permission for the maximum amount of the asset. They do this not only to save gas by performing approve “once and forever,” but also because they simply do not want to create several similar transactions repeatedly.The possibility of cross-chain authorization of an allowlist. In the authorization_list, each tuple can be assigned the required blockchain ID.
Mechanism of EIP-7702
Now, with EIP-7702, we have four types of transactions characterized by:
A code installation transaction.
Delegates — existing smart contracts on the blockchain whose code will be used as a template.
An authorization list (authorization_list = [[chain_id, address, nonce, y_parity, r, s], …]), parameters indicating a specific blockchain and the address of the smart contract whose code the EOA will execute.
The user creates a transaction specifying an already deployed smart contract in the network, called a delegate. After signing and executing the transaction, the EOA inherits the delegate’s functionality. For the EVM, this looks like: (0xef0100 || address). 0xef0100 — the delegation identifier, address — the smart contract address.
The delegate can be rewritten by changing the address or the code delegation for the EOA can be canceled by setting address = 0x0000000000000000000000000000000000000000.
However, it should be noted that if the “code installation transaction” did not include conditions for restrictions, such as time limits or cancellation of delegation at the end of execution, the code will always execute on the EOA. Although some articles claim otherwise, for example, an article by Binance Academy.
Exploitation of EIP-7702 by Attackers
How do attackers exploit EIP-7702? One of the recent cases of WLFI token theft, described in a Cointelegraph article, is indicative. The cause of the token theft was the prior loss of a private key, and only afterward did attackers delegate malicious smart contract code to the EOA.
Thus, EIP-7702 did not invent a new attack vector. To steal users’ funds, attackers still need to trick the victim through phishing. They must make the user disclose the EOA private key, including through a compromised UI, creating collisions with reused one-time codes. Or they must make the user sign a transaction approving spending to the attacker’s address. Attackers have done this before, but EIP-7702 has automated their work.
Previously, by signing a malicious transaction without revealing the private key, a user would lose some specific asset, but with the advent of bundled transactions, all assets can now be transferred from the EOA in a single transaction. A maliciously written delegate contract automates the theft of assets, including not only tokens but also native coins.
Wintermute warned that more than 90% of EIP-7702 delegations were linked to malicious contracts. Many of them are simple copy-and-paste scripts that scan vulnerable wallets and automatically drain them.
Comparison of EIP-7702 with ERC-223 and ERC-777
In fact, EIP-7702, which is now part of Ethereum’s core structure, cannot be directly compared with token standards ERC-777 and ERC-223, which operate at the application level on top of the blockchain. However, abstractly, EIP-7702 and ERC-777 share some similarities in the presence of “intermediary contracts.” On the other hand, let’s consider whether EIP-7702 can reproduce the functionality of ERC-223.
Compared to EIP-7702, ERC-777 actually works the opposite way: the EOA does not copy the contract’s code but delegates funds to an intermediary contract for subsequent interaction with the target contract. Quite quickly, attackers learned to intercept calls and substitute intermediary contracts to steal funds.
ERC-223 can notify target contracts of incoming funds, which ERC-20 cannot do — leading to user errors and fund losses. Some community members believe that using EIP-7702 can successfully replace ERC-223. Suppose, theoretically, that a delegate contract could reproduce the ERC-223 communication module. This is actually useless — current DEX smart contracts will not be able to respond, meaning tokens can only be sent through transferFrom. And even if DEXs adopt designing contracts compatible with ERC-223 as standard, using EIP-7702 to send ERC-20 tokens becomes highly unlikely. There is a high chance of unforeseen collisions due to the bulky interaction structure and increased gas fees per transaction compared to working with native ERC-223. It’s like buying a seven-ton “Freightliner Columbia 120” with a trailer just to drive the route work–office–home, without being a truck driver.
Conclusion
Every innovation in the relatively young blockchain industry appears to developers as a huge technological breakthrough they have worked hard to achieve. This is not at all obvious to users and sometimes even poses a risk of financial loss.
The goal of EIP-7702 is to free the user from learning programming and deploying their own smart contracts. However, as always, attackers are the first to adapt to innovations, and the introduction of EIP-7702 was no exception.
Nevertheless, EIP-7702 itself is not a magic key for hackers. The main tool of attackers remains social engineering — only the “Spanish Prisoner” of the 18th century has stepped into the 21st century of digital money. For users, especially of public blockchains, digital hygiene has become more critical than ever: choosing a reliable delegate provider, paying close attention to interface interactions, and understanding the technology being used.
EIP-7702 Requires Users to Maintain Flawless Digital Hygiene was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.