EIP-7702 Explained in Detail
EIP-7702 adds a way for an externally owned account to use delegated code. The account keeps its address while calls execute logic from another contract, and that delegation can persist until replaced or cleared.
That changes a long-standing assumption: an EOA may behave like code during execution.
Smart contract example
EOA authorizes delegated code -> call executes account logic
Protocols that rely on "EOA means no code" need new review.
EIP-7702 in Auditing
EIP-7702 affects authorization, batching, replay protection, relayer flows, and contract-detection logic. Checks based on tx.origin, extcodesize, or contract allow/block lists may no longer mean what developers expect.
Auditors focus on what the delegated code can do in the account's context.
Red flags in code
-
Protocol assumes EOA callers cannot execute code.
-
Delegated wallet logic omits nonce, target, calldata, value, deadline, or domain checks for user actions.
-
Delegated code writes to storage without a stable layout.
-
Revocation or upgrade paths are unclear.
-
Batched actions bypass per-action checks.
How to test or review it
-
Model a user account that executes delegated code.
-
Check EIP-7702 delegation authorizations separately from application-level action signatures.
-
Check storage layout and revocation behavior.
-
Test protocols that block contracts but allow EOAs.
-
Review interactions with multicall and account abstraction flows.