When virtue gains a foot, the devil gains a yard.
Crypto phishing is still rampant, and especially after the emergence of the "EIP-7702 authorization attack," hackers have become even more brazen...
Look at these tragic cases:
On September 2, KOL @Tintinx2021 posted that scammers lured them into downloading a fake meeting link under the pretense of discussing a collaboration;
Also on September 2, a crypto whale @KuanSun1990 and a BD contact he had met in person were chatting about a collaboration on TG; because the other party sent a fake Zoom link directly, they downloaded a malicious file and had $13,000,000 stolen;
On September 8, KOL @dov_wo had a TG contact’s account compromised and was led via Calendly into a fake Zoom meeting link.
Fortunately, because the incidents were handled promptly, the above events did not ultimately result in massive asset losses—but hackers won’t always walk away empty-handed:
On September 12, Thorchain co-founder @jpthor lost $1.3 million due to the same kind of fake Zoom meeting link.
The combo of "a familiar account being compromised + a phishing meeting link" has been used for years and remains effective, so you can imagine how rampant even more sophisticated and novel methods can become:
On August 5, one address was drained of $66,000 after upgrading to EIP-7702 and interacting with a fake Uniswap;
On August 22, a whale lost $1,000,000 for the same reason;
On August 24 (yes, just two days later), another whale lost $1,540,000 after signing a phishing transaction of the EIP-7702 type.
The above is only an incomplete tally within a single month.
And crypto security firm Scam Sniffer (@realScamSniffer) reported that in August a total of 15,230 victims were stolen from, with total losses as high as $12,000,000, an increase of over 60% compared to July. Incidents involving the EIP-7702 standard have become increasingly frequent—the attack type mentioned above. Many people don’t fully understand this concept, but the data warns us to pay special attention to this novel attack method.
What is EIP-7702
EIP-7702 introduces a new transaction type that allows part of an account address's code to be written as a proxy pointer. After that, executions targeting that address will be routed to run the target contract's code. This setting remains in effect until you replace the proxy pointer with a new authorization or clear it.
It was designed to improve user transaction experience in three ways:
Simplify transaction handling: bundle on-chain operations that used to require two or three separate steps into a single atomic transaction—either all succeed or all fail.
Gas sponsorship: someone else pays the gas, you only sign, so the transaction can complete even if your wallet has no ETH.
Permission downgrading: give the proxy contract a sub-key that only opens permissions for "a specific token, a specific amount, a specific application." For example, it could allow spending a certain ERC-20 token but not ETH.
Why EIP-7702 is dangerous
Although EIP-7702 was intended to provide a better user experience, think about it: when you hand your "right to execute transactions" over to a "malicious contract address," it gains the power to carry out various operations with effectively no limits—at that moment your assets are no longer yours. As early as May this year, research by Wintermute showed that over 97% of EIP-7702 related authorizations were associated with malicious contracts.
And the ways you can get burned are straightforward:
A user might visit a phishing site and sign an unfamiliar transaction that is actually an EIP-7702 type transaction, granting address permissions to a hacker-designed target contract;
Or the private key may be leaked. Attackers who steal a private key can use a malicious EIP-7702 authorization tuple to delegate the victim’s EOA to a "sweeper" contract, which will immediately transfer away any new assets the victim's wallet receives.
How can users protect themselves?
Old but important: read the signature contents carefully and don’t sign transactions you don’t understand. More importantly, carefully check the website URL and SSL certificate, and avoid clicking links sent via social media DMs or unknown emails.
Regularly check authorizations. For example, Rabby Wallet’s authorization manager clearly shows whether an account has granted EIP-7702 authorizations.
Don’t perform EIP-7702-type upgrades. Wallets and apps may offer upgrade options to improve UX, but if you don’t have an urgent need, it’s best not to enable this feature.
When authorizing an EIP-7702 transaction, be sure to audit the delegated contract address and ensure it comes from a fully audited, battle-tested, and widely trusted protocol.
End
Whether hackers use new tricks or old routines, what truly determines the safety of your assets is whether your private key has been exposed to high-risk environments. If your private key is secure (for example, using a hardware wallet):
Even if you accidentally click a hacker’s phishing meeting link, your assets won’t be immediately transferred because the hacker cannot find your private key on your computer.
If the private key is only known to you (the hardware wallet is in your possession), hackers cannot authorize EIP-7702 for your address.
One more note: OneKey’s hardware wallet already supports parsing EIP-7702-type transactions, which means that when you click any suspicious site, any lurking malicious authorization will be fully visible on the hardware wallet—making it easy for users to identify and block it.
Attacks change, boundaries don’t—keep your private key in hardware, and keep control in your own hands.