Overview:

A Sherlock DeFi security researcher recently shared a sobering experience on Base:

Funds drained not via compromised private keys, classic token approvals, or an obvious malicious transfer at the moment of loss. The root cause was a single EIP-7702 authorization signed during what appeared to be a routine bridge or payment flow.

"No transferFrom. No approval. The contract executed as my wallet itself," the researcher noted. This incident underscores a meaningful shift in wallet risk models that goes beyond traditional self-custody practices like key management and approval hygiene.

What EIP-7702 Actually Does

Introduced with Ethereum’s Pectra upgrade (activated May 2025), EIP-7702 introduces a new transaction type (0x04) that can include an authorization_list. This allows externally owned accounts (EOAs) to temporarily delegate execution authority by loading smart contract logic directly into the EOA context.

Once authorized, the delegated contract can:

Transfer tokens or native ETH
Approve assets
Interact with any protocol
Execute arbitrary logic

All without requiring additional user signatures. The result is a shift from transaction-level consent to execution-level delegation — effectively granting temporary root-like access to the wallet.

Why This Is Dangerous: Execution Delegation Abuse

Traditional wallet drains typically stem from private key compromise or token approval abuse (e.g., infinite allowances). EIP-7702 adds a third category: execution delegation abuse.

Attackers embed delegation payloads in seemingly legitimate flows — bridges, reward claims, batch swaps, or fake wallet upgrades. After one signature, malicious "sweeper" contracts can act with full wallet permissions, often draining assets silently and in the same block.

Key differences from older patterns:

No repeated approval prompts
Actions execute without further user interaction
Risk persists until the delegation is explicitly revoked

Observed Impact

Following the Pectra upgrade, attackers rapidly adopted EIP-7702. In August 2025, phishing losses reached approximately $12 million across 15,230 victims, with EIP-7702 batch signatures contributing notably — including two major incidents totaling $2.54 million. Individual campaigns reportedly reached up to $1.54 million in a single event. [](grokrendercitationcardjson={"cardIds":["b91a26"]})

On-chain analyses showed strong concentration: 80–97% of observed EIP-7702 delegations routed to related malicious sweeper contracts (such as the "CrimeEnjoyor" family), with large-scale studies referencing over 150,000 authorization events. Even experienced users and security practitioners have been affected.

Why This Changes the Self-Custody Conversation

Old Risk Model	EIP-7702 Risk Reality
Token-level permissions	Wallet-level execution delegation
Repeated approvals often required	One delegation can enable broad actions
User-visible approval loops	Payloads can be bundled and less obvious
Exposure constrained by allowance scope	Exposure can extend across wallet assets

Strong key hygiene and regular approval revocation are still essential — but insufficient alone if a single delegation signature grants full execution rights.

Practical Defense Steps

Audit transaction history Use block explorers to check for type 0x04 transactions or authorization_list entries and flag unknown delegates.

Revoke delegations Many wallets now surface EIP-7702 delegations; revoke via wallet-native tools where available (often by delegating to 0x0). Revoke.cash can help inspect delegations in some cases, though full revocation support varies.

Treat every signature as high-risk Avoid blind-signing. Carefully inspect payloads, verify contract addresses on-chain, and simulate outcomes when possible.

Use safer wallet UX Choose interfaces that clearly display delegation targets, provide simulation, and flag suspicious EIP-7702 requests.

Update your threat model Token approvals represent limited exposure; EIP-7702 delegations represent higher-impact execution risk. Treat them accordingly.

The Road Ahead

EIP-7702 unlocks genuine UX gains — smoother batching, gas abstraction features, and account-abstraction-like behavior without address migration. However, it also raises the stakes for wallet interface design and user education.

The ecosystem would benefit from clearer delegation warnings, standardized simulation tools, and more consistent revocation options across wallets.

Key Takeaway

A signature is no longer solely transaction consent. With EIP-7702 delegation, it can authorize broad wallet execution. Treat such requests as security-critical actions.

Stay vigilant. Review your recent transactions and revoke any unknown delegations today.

Root Access in One Click: How EIP-7702 Is Reshaping DeFi Self-Custody Security