EIP-7702 Explained: How Your Ethereum Wallet Got Smart Account Powers
Ethereum's Pectra upgrade let ordinary wallets temporarily act like smart contracts. Here is what EIP-7702 changes and what to watch out for.
Ethereum's Pectra upgrade introduced EIP-7702, a change that lets an ordinary wallet temporarily behave like a smart contract. If you have heard the term "smart EOA" and want a clear explanation without the jargon, this is for you. It is one of the more consequential wallet changes in years, and it comes with a new attack surface that is worth understanding before you tap "approve."
Quick answer
EIP-7702 (live since Ethereum's Pectra fork on May 7, 2025) lets your existing wallet, same address, same key, temporarily delegate its behavior to a smart contract during a transaction. That unlocks batching, gas sponsorship, paying fees in non-ETH tokens, and revocable session keys, without migrating to a new account. The catch: a delegation is a signature that hands code control of your account, and phishing crews have already drained seven-figure sums through malicious delegations. Only delegate to contracts inside wallets and apps you trust, and learn how to revoke a delegation.
Key takeaways
- EIP-7702 lets your existing wallet, with the same address and same key, temporarily "delegate" its behavior to a smart contract during a transaction.
- It unlocks batching, gas sponsorship, paying fees in non-ETH tokens, and revocable session keys, without migrating to a new account.
- It went live with the Pectra hard fork on Ethereum mainnet on May 7, 2025, and major wallets like MetaMask, Rabby, and Coinbase Wallet shipped support through 2025.
- The convenience widens the attack surface: phishing crews have already drained seven-figure sums via malicious delegations, and one batch-transaction attack cost a single user over $1.5 million.
- A delegation is a signature you must read carefully, and you should know how to revoke one.
The two kinds of Ethereum accounts
Before Pectra, Ethereum had a hard split:
- Externally Owned Accounts (EOAs): the normal wallet you control with a private key or seed phrase. Simple, but limited. One transaction at a time, gas paid in ETH only, no recovery if you lose the key.
- Smart contract accounts: programmable accounts with features like batching, recovery, and spending limits. Powerful, but historically required moving to a new account type with a new address.
EIP-7702 bridges that gap. It lets your existing EOA, with the same address and same key, temporarily delegate its behavior to a smart contract.
Here is how the three account models stack up:
| Capability | Plain EOA | Smart EOA (EIP-7702) | Smart account (ERC-4337) |
|---|---|---|---|
| Keeps your existing address | Yes | Yes | No (new account) |
| Batch multiple actions in one click | No | Yes | Yes |
| Gas paid by a third party | No | Yes | Yes |
| Pay fees in non-ETH tokens | No | Yes (some setups) | Yes |
| Revocable session keys | No | Yes | Yes |
| Main risk to watch | Key loss | Malicious delegation target | Misconfigured account contract |
What "smart EOA" unlocks
By pointing an EOA at a piece of contract code, wallets can offer features that previously required a full smart account:
Transaction batching
Approve a token and swap it in a single click instead of two separate signatures and two gas payments.
Gas sponsorship
A dapp or third party can pay the gas, enabling "gasless" actions. Issuers have used this to let users move stablecoins like USDC without holding ETH for fees.
Pay gas in other tokens
Instead of needing ETH on hand, fees can be covered in another token in some setups.
Session keys and granular permissions
Grant a limited, revocable permission for a specific app rather than signing everything manually.
Note
EIP-7702 does not replace ERC-4337, the existing smart-account standard. It complements it, bringing similar conveniences to the EOAs most people already use without forcing a migration to a new address.
How it works under the hood
Pectra went live on Ethereum mainnet on May 7, 2025. EIP-7702 introduced a new transaction type (often called Type 4) that includes an "authorization" pointing your EOA at a contract's code. While that delegation is in effect, calls to your address run that contract logic. The key never changes and the address never changes; only the behavior is augmented.
Major wallets adopted it quickly, which is part of why you may have seen new "batch" or "sponsored" features appear in familiar apps without changing wallets. Dashboards tracking Type 4 transactions showed steady week-over-week growth through 2025 and into 2026, with batched transactions and gas-sponsored onboarding as the most common patterns.
The security trade-offs
More power means more ways to get hurt if you are careless. This is the part people skip, and it is the part that matters.
- Delegation is a signature. When you authorize your EOA to use contract code, you are trusting that code. Malicious or buggy delegation targets are a real risk. Security researchers found that the overwhelming majority of early mainnet delegations pointed at a small set of "sweeper" contracts designed to drain funds the moment a victim signed.
- Phishing adapts fast. Drainers craft authorization prompts that look routine. By late summer 2025, one user lost over $1.5 million in a single 7702 batch-transaction phishing attack, and another lost roughly $146,000 to a drainer variant riding on a legitimate-looking delegator.
- New signature formats can dodge warnings. EIP-7702 delegation messages are not the familiar EIP-191 or EIP-712 formats and can appear as bare 32-byte hashes, which means some wallets show fewer human-readable safeguards. Treat any unfamiliar hash-only signing request with suspicion.
- Replay risk. A delegation authorized with chain ID zero can be replayed across EVM chains. Prefer wallets that scope authorizations to a specific chain.
- Revocation matters. Understand how your wallet lets you clear or change a delegation. Treat a lingering delegation to an unknown contract like a lingering token approval: review and remove it.
Warning
Only delegate to contracts from wallets and apps you trust. If a site you do not recognize asks you to authorize new code for your account, stop. The convenience of smart EOAs is real, but so is the new attack surface, and it overlaps heavily with the broader wallet-drainer and approval scams already common in crypto.
What comes next
EIP-7702 is described by Ethereum's roadmap as a hybrid, opt-in step. Future work aims toward more native account abstraction at the protocol level, where smart-account behavior could become the default for new accounts rather than something an EOA opts into per delegation. That direction is still being developed, so expect the experience to keep evolving. The same upgrade cycle that delivered Pectra also reshaped costs on Ethereum's scaling layer; if you want to understand why everyday transactions are so cheap now, see our breakdown of how Layer 2 gas fees are built.
What to do right now
If you use Ethereum and a modern wallet, take a few minutes to get ahead of the risk:
- Find where your wallet (MetaMask, Rabby, Coinbase Wallet) displays active delegations and how it revokes them. Do this before you ever need it.
- Open a block explorer, look up your address, and check whether it currently has code attached (an active delegation). If it does and you do not recognize it, revoke it.
- Treat any hash-only or unfamiliar signing request as hostile until you understand exactly what it delegates to.
- Prefer wallets that scope authorizations to a specific chain ID, never chain ID zero, to avoid cross-chain replay.
- Only use batching and gasless features inside reputable apps; never sign a delegation prompted by a site you do not recognize.
Frequently asked questions
Does EIP-7702 change my wallet address or seed phrase?
No. That is the whole point. Your address and private key stay exactly the same. EIP-7702 only temporarily augments how your account behaves during a transaction by delegating to contract code. Your existing backups still work, though you should still follow strong seed-phrase and self-custody practices.
Is it safe to use the new batching and gasless features?
The features themselves are legitimate and widely adopted, but safety depends entirely on what you delegate to. Using batching inside a reputable wallet or dapp is generally fine; signing a delegation prompted by an unknown site is dangerous. The risk is the delegation target, not the feature.
How do I know if my account has an active delegation?
Reputable wallets surface active delegations in their settings or security view, and block explorers show whether an address has code attached. If you cannot tell, that is itself a reason to be cautious. Learn where your specific wallet displays and revokes delegations before you authorize one.
What is the difference between EIP-7702 and ERC-4337?
ERC-4337 is a separate smart-account standard that requires a dedicated smart-contract account. EIP-7702 brings many of the same conveniences to ordinary EOAs without a migration. They coexist and can even be used together; 7702 is the on-ramp for the wallets most people already have.
The bottom line
EIP-7702 quietly upgraded the everyday Ethereum wallet, adding batching, gas sponsorship, and finer permissions without forcing anyone to switch addresses. The features are genuinely useful, but they extend what a single signature can authorize, and attackers noticed immediately. Enjoy the convenience, and read every delegation prompt as carefully as you would a token approval.
Sources & further reading
- ethereum.org/roadmap/pectra/
- alchemy.com/blog/eip-7702-ethereum-pectra-hardfork
- circle.com/blog/how-the-pectra-upgrade-is-unlocking-gasless-usdc-transactions-with-eip-7702
- ledger.com/academy/topics/crypto/what-is-the-ethereum-pectra-upgrade
- halborn.com/blog/post/eip-7702-security-considerations
- ethereum.org/roadmap/pectra/7702/
