The crypto industry is like the Wild West: developers resemble gunsmiths, while users and attackers compete to see who will master the new weapons\u00a0first.<\/p>\n
On May 7, 2025, the Pectra<\/a> upgrade was deployed on the Ethereum mainnet. Pectra consists of various proposals, the most discussed of which is EIP-7702<\/a>, yet another version of account abstraction. EIP-7702 replaced another similar proposal, EIP-3074<\/a>.<\/p>\n After deployment, EIP-7702 immediately gave news outlets loud headlines about stolen funds and divided the community. Enough time has passed to accumulate a critical mass of incidents, allowing an analysis of the attack vector and conclusions about EIP-7702.<\/p>\n EIP-7702 allows externally owned accounts<\/a> (EOAs) to execute smart contract code, but there are only a few truly valuable scenarios for\u00a0EOAs:<\/p>\n Bundling transactions into a package, for example: sending several assets within one transaction; sending an asset to multiple addresses; combining approve and transferFrom transactions into one; automatically executing a subsequent operation based on the results of the previous one, and\u00a0others.Sponsoring gas fees through another account. If a trading platform covers users\u2019 gas costs, this is possible only with wallets featuring smart contract functionality, such as Safe Wallet<\/a>; EIP-7702 erases this boundary.EIP-7702 can also somewhat enhance security through flexible privilege configuration for a third party in automatic mode. Many people working with DeFi applications, when performing approve, grant the smart contract permission for the maximum amount of the asset. They do this not only to save gas by performing approve \u201conce and forever,\u201d but also because they simply do not want to create several similar transactions repeatedly.The possibility of cross-chain authorization of an allowlist. In the authorization_list, each tuple can be assigned the required blockchain ID.<\/p>\n Now, with EIP-7702, we have four types of transactions characterized by: The user creates a transaction specifying an already deployed smart contract in the network, called a delegate. After signing and executing the transaction, the EOA inherits the delegate\u2019s functionality. For the EVM, this looks like: (0xef0100 || address). 0xef0100\u200a\u2014\u200athe delegation identifier, address\u200a\u2014\u200athe smart contract\u00a0address.<\/p>\n The delegate can be rewritten by changing the address or the code delegation for the EOA can be canceled by setting address = 0x0000000000000000000000000000000000000000.<\/p>\n However, it should be noted that if the \u201ccode installation transaction\u201d did not include conditions for restrictions, such as time limits or cancellation of delegation at the end of execution, the code will always execute on the EOA. Although some articles claim otherwise, for example, an article<\/a> by Binance\u00a0Academy.<\/p>\n How do attackers exploit EIP-7702? One of the recent cases of WLFI token theft, described in a Cointelegraph article<\/a>, is indicative. The cause of the token theft was the prior loss of a private key, and only afterward did attackers delegate malicious smart contract code to the\u00a0EOA.<\/p>\n Thus, EIP-7702 did not invent a new attack vector. To steal users\u2019 funds, attackers still need to trick the victim through phishing. They must make the user disclose the EOA private key, including through a compromised UI, creating collisions with reused one-time codes<\/a>. Or they must make the user sign a transaction approving spending to the attacker\u2019s address. Attackers have done this before, but EIP-7702 has automated their\u00a0work.<\/p>\n Previously, by signing a malicious transaction without revealing the private key, a user would lose some specific asset, but with the advent of bundled transactions, all assets can now be transferred from the EOA in a single transaction<\/strong>. A maliciously written delegate contract automates the theft of assets, including not only tokens but also native\u00a0coins.<\/p>\n Wintermute warned<\/a> that more than 90% of EIP-7702 delegations were linked to malicious contracts. Many of them are simple copy-and-paste scripts that scan vulnerable wallets and automatically drain\u00a0them.<\/p>\n In fact, EIP-7702, which is now part of Ethereum\u2019s core structure, cannot be directly compared with token standards ERC-777<\/a> and ERC-223<\/a>, which operate at the application level on top of the blockchain. However, abstractly, EIP-7702 and ERC-777 share some similarities in the presence of \u201cintermediary contracts.\u201d On the other hand, let\u2019s consider whether EIP-7702 can reproduce the functionality of\u00a0ERC-223.<\/p>\n Compared to EIP-7702, ERC-777 actually works the opposite way: the EOA does not copy the contract\u2019s code but delegates funds to an intermediary contract for subsequent interaction with the target contract. Quite quickly, attackers learned to intercept calls and substitute intermediary contracts<\/a> to steal\u00a0funds.<\/p>\n ERC-223 can notify target contracts of incoming funds, which ERC-20<\/a> cannot do\u200a\u2014\u200aleading to user errors<\/a> and fund losses<\/a>. Some community members believe that using EIP-7702 can successfully replace ERC-223. Suppose, theoretically, that a delegate contract could reproduce the ERC-223 communication module. This is actually useless\u200a\u2014\u200acurrent DEX smart contracts will not be able to respond, meaning tokens can only be sent through transferFrom. And even if DEXs adopt designing contracts compatible with ERC-223 as standard, using EIP-7702 to send ERC-20 tokens becomes highly unlikely. There is a high chance of unforeseen collisions due to the bulky interaction structure and increased gas fees per transaction compared to working with native ERC-223. It\u2019s like buying a seven-ton \u201cFreightliner Columbia 120\u201d with a trailer just to drive the route work\u2013office\u2013home, without being a truck\u00a0driver.<\/p>\n Every innovation in the relatively young blockchain industry appears to developers as a huge technological breakthrough they have worked hard to achieve. This is not at all obvious to users and sometimes even poses a risk of financial loss.<\/p>\n The goal of EIP-7702 is to free the user from learning programming and deploying their own smart contracts. However, as always, attackers are the first to adapt to innovations, and the introduction of EIP-7702 was no exception.<\/p>\n Nevertheless, EIP-7702 itself is not a magic key for hackers. The main tool of attackers remains social engineering\u200a\u2014\u200aonly the \u201cSpanish Prisoner<\/a>\u201d of the 18th century has stepped into the 21st century of digital money. For users, especially of public blockchains, digital hygiene has become more critical than ever: choosing a reliable delegate provider, paying close attention to interface interactions, and understanding the technology being\u00a0used.<\/p>\n EIP-7702 Requires Users to Maintain Flawless Digital Hygiene<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" The crypto industry is like the Wild West: developers resemble gunsmiths, while users and attackers compete to see who will master the new weapons\u00a0first. On May 7, 2025, the Pectra upgrade was deployed on the Ethereum mainnet. Pectra consists of various proposals, the most discussed of which is EIP-7702, yet another version of account abstraction. […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-108986","post","type-post","status-publish","format-standard","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/108986"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=108986"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/108986\/revisions"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=108986"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=108986"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=108986"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Declared advantages of\u00a0EIP-7702<\/h3>\n
Mechanism of\u00a0EIP-7702<\/h3>\n
A code installation transaction.
Delegates\u200a\u2014\u200aexisting smart contracts on the blockchain whose code will be used as a template.
An authorization list (authorization_list = [[chain_id, address, nonce, y_parity, r, s],\u00a0\u2026]), parameters indicating a specific blockchain and the address of the smart contract whose code the EOA will\u00a0execute.<\/p>\nExploitation of EIP-7702 by Attackers<\/h3>\n
Comparison of EIP-7702 with ERC-223 and\u00a0ERC-777<\/h3>\n
Conclusion<\/h3>\n