Executive Summary

Research from blockchain market maker Wintermute indicates that 48% of all Ethereum Improvement Proposal 7702 (EIP-7702) user authorizations since May 7th involve criminal activities, including phishing and the theft of funds. This finding contradicts earlier claims regarding the feature's security benefits, prompting increased scrutiny of new Ethereum Improvement Proposals and a re-evaluation of EIP-7702's implementation.

The Event in Detail

EIP-7702, introduced as part of the Pectra hard fork and deployed on the Ethereum mainnet earlier this year, was designed to enhance user experience and security. It allows externally owned accounts (EOAs) to temporarily function as smart contract wallets during transactions, enabling features such as transaction batching, gas sponsorship, and advanced programmability without permanently altering account structures or requiring migration to new wallets. Ethereum co-founder Vitalik Buterin had previously stated that EIP-7702 would provide users with "superpowers" and "guardrails," implying robust security alongside enhanced functionality.

However, Wintermute's analysis reveals a substantial security vulnerability. Out of 1,580,930 EIP-7702 activations recorded since May 7th, 768,275 were flagged as crime-related. The "crime" classification, according to Wintermute, refers to delegate contracts programmed to automatically sweep funds from externally owned accounts. By May 30, Wintermute observed that over 97% of all EIP-7702 delegations were authorized to these "sweeper" contracts, which are designed to automatically drain incoming Ethereum from compromised addresses. On average, EIP-7702 is used in approximately 6,285 transactions daily, representing about 0.37% of total Ethereum transactions.

Market Implications

The prevalence of criminal activity associated with EIP-7702 authorizations carries significant implications for the broader Ethereum ecosystem and investor sentiment. In August 2025, phishing scams leveraging EIP-7702-based exploits resulted in over $12 million in losses, impacting more than 15,000 victims. This figure represents a 67% increase in affected individuals and a 72% increase in monetary losses compared to July.

The design of EIP-7702 challenges long-standing security assumptions within Ethereum, notably concerning the tx.origin identifier. This identifier, traditionally used to distinguish EOAs from smart contracts, can be compromised as delegated EOAs can mimic pure EOAs. Such vulnerabilities could destabilize decentralized finance (DeFi) protocols and governance systems that rely on tx.origin checks. The perceived security risks may lead to increased caution regarding new Ethereum Improvement Proposals, a potential decrease in EIP-7702 adoption, and heightened awareness of phishing risks among users. Longer-term, these findings may necessitate a re-evaluation of EIP-7702's implementation and a focus on enhanced security audits, potentially delaying future upgrades or leading to significant modifications to restore user trust.

Expert Commentary

Wintermute's research team has actively worked to mitigate these risks, developing a tool dubbed "CrimeEnjoyor" to identify and warn users about malicious delegate contracts. This tool specifically flags contracts designed to auto-sweep funds from compromised wallets. Security firm Scam Sniffer has also reported on the exploits, noting an instance where a single Ethereum user lost $146,550 on May 23 by signing several malicious batched transactions. Experts note that while EIP-7702 expands Ethereum's capabilities, the current lack of robust verification makes it challenging to differentiate legitimate infrastructure from malicious exploitation, particularly for new users.

Broader Context

The issues with EIP-7702 unfold against a backdrop of increasing crypto crime. In May 2025, total crypto losses due to crime reached $647 million across 26 incidents, contributing to a year-to-date total approaching $3.5 billion. Smart contract exploits accounted for $242.4 million of these losses. The delegation mechanism within EIP-7702, which relies on a setcode transaction to authorize a smart contract, has emerged as a significant vector for phishing attacks. The design of EIP-7702, which prioritizes convenience and usability, has been noted as potentially overlooking caution. To mitigate risks, industry best practices now emphasize the importance of using reputable wallet providers that offer clear, human-readable explanations of granted permissions, employing transaction simulations to preview outcomes, and staying informed about potential vulnerabilities. These measures aim to empower users to navigate the complexities introduced by new protocol functionalities while minimizing exposure to exploitation.