Ever imagined interacting with DApps as smoothly as a single click — with approvals and transactions bundled together, and even gas fees covered by the project team? That’s exactly what EIP-7702 is designed to enable. It's seen as a key milestone toward account abstraction, bringing smart contract wallet capabilities to regular wallets.
But while this innovation promises convenience, it's also being exploited by hackers — creating new risks to user asset security.
What is EIP-7702 ?
EIP-7702 can be thought of as a “smart butler” for your crypto wallet. Normally, only you can control your wallet — but with EIP-7702, a single signature lets you authorize a piece of code to act on your behalf. This could include things like batching multiple transfers or covering gas fees for you.
The goal is to boost efficiency and solve key limitations of traditional wallets — combining multiple steps into a single transaction, supporting third-party gas payments, and potentially enabling “session keys” in the future for seamless interactions like gaming without repeated signatures.
It all sounds incredibly convenient — but here’s the risk: if that “butler” turns out to be malicious code in disguise, you’ve effectively handed over the master key to a scammer, allowing them to drain your assets without you even noticing.
Current Status of EIP-7702 Authorization
While EIP-7702 was designed with good intentions, it has also introduced new security vulnerabilities. According to data from Dune, as of June 2025, around 79,000 authorization transactions have been recorded across 48,000 addresses. Alarmingly, over 97% of these approvals were granted to a single malicious contract — with more than 65% of the resulting funds ultimately funneled to the same hacker-controlled address (0x8938...e704).
This data highlights a troubling trend: many users have unknowingly handed over control of their wallets to attackers. These exploits are now highly automated and executed at scale, posing a serious threat to user asset security.
Attack Cases
Case 1: Airdrop Bait — One Signature, Wallet Drained
Nick came across an “official airdrop” link from a popular project on social media. The post claimed that simply connecting a wallet and signing would earn rewards. After clicking the link, a signature request appeared in his wallet — displaying only a string of unreadable hash values. Thinking it was just a standard login verification, Nick clicked “Confirm” out of habit.
Unbeknownst to him, the request was actually a malicious EIP-7702 authorization crafted by scammers. Once signed, the attacker immediately scanned and drained his wallet — including ETH, USDT, and NFTs. By the time Nick checked back, all his assets were gone.
Case 2: Private Key Leak + EIP-7702 Exploit
Mike’s computer was unknowingly infected with malware that exposed his private key. While he remained unaware, attackers patiently monitored his wallet, waiting for a larger balance to accumulate before striking.
Previously, draining a wallet required multiple transactions to transfer different assets — a costly and potentially detectable process. With EIP-7702, however, the attacker simply used the stolen private key to sign a single delegated authorization, installing a malicious “sweeper” contract — a so-called smart butler — inside Mike’s wallet. As shown below, the hacker could then take full control of his assets in one seamless, undetectable move.
(EIP-7702 Transactions Delegated by Users to Malicious Contracts)
Security Alert:
To protect users’ assets at the source, imToken currently does not support triggering EIP-7702 authorization. This means that as long as you operate through the official imToken app, such malicious authorization cannot be triggered, effectively reducing related risks.
- Avoid using EIP-7702 delegation functions lightly. Wait until industry-wide security mechanisms mature before exploring these features.
- Do not use unfamiliar wallets for EIP-7702-related actions.
- Never sign transactions you don’t fully understand, especially those involving approvals.
- Regularly review your wallet’s authorizations using tools like Revoke.cash, Allowance, or the "Authorizations (EIP-7702)" tab on Etherscan, and revoke any suspicious approvals at least once a month.
imToken Is Always Protecting Your Token Security
In May, imToken marked a total of 3504 risky tokens, banned 767 risky DApp websites and marked 1087 risky addresses.
In addition, if you find any suspiciously risky tokens or DApps, please contact us: support@token.im to help more users avoid token losses.
Closing Thoughts
Scams are constantly evolving, it is indeed challenging for average users to fully prevent them. imToken is committed to rapidly detecting issues and finding solutions,providing timely messages to the community, and educating users about various types of scams to protect them from losses.
We encourage you to read and share imToken Wallet Security Monthly Report and join hands with imToken to safeguard your token security.