Credit: Image generated with AI Assistance
Ethereum's recent network update added a mechanism that gives basic wallets some smart wallet capabilities. But the interwebs are in panic mode over claims that cyberthieves could use the feature to drain user funds.
At the center of the storm is Ethereum Improvement Proposal (EIP) 7702, one of nine individual add-ons bundled into the blockchain’s Pectra update in May. EIP-7702 introduces a transaction called SetCode that lets users give temporary control over their advanced smart wallet to a basic wallet owner, simply by signing a message. Security analysts have claimed that the added functionality exposes users to theft.
Should ETH holders be worried? There is a vulnerability, but like many things in crypto the full picture is nuanced.
Democratizing access
The idea is to give non-technical users access to advanced smart wallet powers, things like like voting on network governance or taking part in staking without operating a validator node. Delegation can be used to earn rewards, widen participation in blockchain governance, or manage permissions in DeFi environments.
For wallet developers the feature promises to make user onboarding more frictionless. A special delegator toolkit lets dev teams streamline the wallet connection flow, making it easier for new users to get started. It also opens up possibilities like auto-recurring subscription payments and greater social coordination on purchases and crypto investments.
Sounds great, but delegation appears to have a weak link. If a cyber thief were to get hold of the enabling signature, perhaps via keystroke logger or phishing email, they could potentially use it to overwrite the wallet's code, adding malware that forwards calls – and incoming ETH – to a second malicious contract.
An analysis by digital asset firm Wintermute shows that almost all the wallet delegations currently happening post-Pectra are dodgy.
"While EIP-7702 brings new convenience, it also introduces new risks. Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code."
Dubbed "CrimeEnjoyor" by Wintermute researchers, the malicious code acts as a sweeper that attempts to automatically redirect ETH transfers and payments away from compromised wallets. In post on X, Wintermute researchers said “new primitives like EIP-7702 expand what is possible, but without verification, labeling, and transparency tools, it becomes harder to tell infrastructure from exploitation, especially for new users. It's funny, bleak, and fascinating all at once."
Digging Into the Threat
Did Ethereum drop the ball on delegation? Smart wallets can do a lot of things that basic wallets can't. They give users more granular control over their digital assets and offer enhanced functionality like gas fee abstraction, batch transactions, and wallet use across different blockchains.
The problem is the programmable smart contracts smart wallets depend on. These require a fair bit of technical nous to configure and use. Ethereum's user base has been asking for a simpler way to access smart wallet benefits, and EIP-7702 appears to be a step in that direction.
Unlike EOAs that use private keys for security, smart wallets use rules and custom logic to strengthen security at the transaction level. EIP-7702's compromise is to create a members-only backdoor, effectively letting smart wallet owners delegate some of their functionality to someone else by signing a special message.
The question is: What happens if a criminal tricks you into signing a fake delegation message? If a cyber thief has the private key, presumably they could take control, empty it, or use it to facilitate criminal activity.
The answer came on May 24 when Web3 cyber platform Scam Sniffer found an EIP-7702 upgraded MetaMask wallet had been drained of more than $146,550.
Further analysis by Blockchain security specialists SlowMist pegged the theft on an organized crime group called Inferno Drainer. Instead of using proven approaches like hijacking the wallet address or nicking seed phrases, the group was able to leverage wallet delegation to gain access. They convinced the user to sign a delegator contract that they had already registered.
You Are The Weakest Link
Still, one hack does not a crimewave make. Dissenters say the concerns are overstated. While EIP-7702 could provide a new attack surface for phishing scams, it doesn't remove the need for wallet signatures or enable unauthorized access on its own.
Assigning someone temporary superpowers over a vault where you keep sums of money sounds dangerous – and clearly can be – but only if you've been duped into signing off a fraudulent delegation.
That's not a blockchain failure; it's more akin to an insider threat. As with many cyber vulnerabilities, the weakest link might be you. That's something wallet software developers need to react to.
Ambire and Trust Wallet, the first two wallet companies to offer delegation features under EIP-7702, have already released patches and warnings.
Meanwhile, leading wallets like Ledger haven't enabled (at least publicly) a way for signing EIP-7702 ‘tuples,' the single-use permission slips smart wallet owners use to delegate access to others.
But that's starting to change. Some wallet developer kits already come with a technique called signAuthorization that generates valid delegation signatures. These can bypass the EIP-1193 API standard for interacting with dApps and sending ETH for payments. As more wallets add smart wallet functions, the use of delegation via signature will likely spread.
While the current uproar might be overheated, smart wallet delegation via EIP-7702 is a threat vector that bears watching. Just as earlier Ethereum improvements have been used for evil, more MetaMask-type incidents could happen with EIP-7702.
Wallet makers will hopefully follow Ambire's lead and ensure their user interface makes explicit what the user is delegating – and to whom.
The Take Away
Back in February, crypto exchange Bybit suffered one of the biggest crypto heists in history. The hack was enabled by a technique called "blind signing." Like delegation, blind signing extends the benefits of smart contracts to crypto users who are less technically inclined, giving them the option to approve a smart contract transaction without having to unpick all the fine details.
Most crypto wallet UIs can't display a code-heavy signing message in a format the average layman can understand. Blind signing offered a workaround – and an unintentional vector for theft.
While criticism of EIP-7702 is probably over-stated (there isn't a backdoor), there is a phishing risk if the wallet software you use doesn't clarify the identity and scope of a delegation.
Top tip: avoid signing off on Ethereum smart contract messages that consist solely of 32-byte hex strings.
© 2025 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.
Trade confidently with insights and alerts from analyst ratings, free reports and breaking news that affects the stocks you care about.
