Remember EIP-7702?

It's a security ticking time bomb 💣

It can be exploited to drain whole wallets.

What is EIP-7702?

EIP-7702 allows any EOA to set its code based on any existing smart contract.

An EOA owner signs an authorization that could then be submitted by anyone as part of the new transaction type.

Auth can be for a single chain, or all chains at once.

If the delegated contract uses DELEGATECALL operations, it will execute in the context of the EOA.

While users want flexibility and compatibility, this runs the risk of draining funds. Why?

• The storage and ETH balance of your EOA would be accessible and modifiable by the delegated code.

• If the delegated contract has vulnerabilities or malicious code, it could drain your account or manipulate your storage.

Safety Concerns of EIP-7702

It's risky because users might not understand the full implications of such authorization..

A safe contract could be upgraded by its owner to include malicious DELEGATECALL.

If you delegate to a proxy contract, you're trusting both the proxy and any implementation it points to!

Mitigation of Security Concerns Related to Using EIP-7702

⛊ Only delegate to thoroughly audited, non-upgradeable contracts.

⛊ Ensure the delegated contract has no DELEGATECALL operations that could be exploited.

⛊ Understand that they're essentially giving the delegated contract full control over their account!

Request an Audit to Secure Your Implementation

The EIP's design prioritizes flexibility, but this comes with significant security considerations that need careful attention.

If you want to secure your implementation, get in touch with us at Audita.

STAY SAFU

Audita's Auditors