Skip to main content

⚠️ Malicious EIP-7702 Delegations and How to Stay Safe

Malicious EIP-7702 delegations let attackers auto-drain wallets. Learn how to spot these and protect your funds when using Relay.

Updated today

What Are EIP-7702 Delegations?

EIP-7702 is a new Ethereum standard that allows wallets to delegate transaction execution to another contract. This makes advanced features like account abstraction and smart wallet functions possible. But it also introduces risk: when a malicious contract is delegated, it can control what happens to funds entering your wallet.

How Malicious Delegations Work

Scammers trick users into signing malicious delegations, often on fake sites disguised as free mints or giveaways. Once approved:

  • The malicious contract can auto-drain tokens as soon as they arrive.

  • Some contracts use fallback functions that instantly forward out any new balance.

  • The attacker doesn’t even need to submit a transaction—the drain can happen in the same block your funds arrive.

Example sequence:

  1. A user signs a malicious delegation.

  2. The contract drains what is available and stays delegated for future inflows.

  3. Later, the user bridges with Relay. Relay delivers the funds correctly, but they disappear instantly because the delegated contract forwards them away.

Let's take a look at this real Relay transaction for example.

When checking the ETH balance for the recipient wallet on Base, there was no ETH.

Upon further inspection, however, we can see why.

First of all, we can see on the top of the wallet page on BaseScan that there is a Delegate Address set:

As a result, we can see the funds being received by recipient wallet in first part of transaction, and then subsequently being forwarded from receiving wallet to 3rd party wallet set by the delegate wallet, in following line of the same transaction.

One important note — Delegated addresses can differ from the final destination address, which makes detection harder.

In this example, the delegated address (in this case 0x3d47c41eDF0957a491049825008263582ef32F81), is not always the same as the wallet that the delegated address selects to receive the funds (in this case 0xD0c9A5645150E6adA5a5918C7cA71a287fDD87Dd).

Why Revoking Isn’t Enough

Most trusted wallets do not allow revoking delegations through their interface. Third-party tools are starting to be created, but even if they appear to remove the delegation, the underlying problem remains.

Key points:

  • Unknown delegations usually mean your keys or seed phrase have already been compromised.

  • Attempting to revoke may create a false sense of security.

  • The only reliable solution is to stop using the compromised wallet and move to a new one.

Why It Looks Like Relay’s Fault

Users often report “Relay stole their funds” because the loss occurs immediately after a Relay swap or bridge. In reality:

  • Relay’s role is to deliver funds to your wallet, which it does correctly.

  • The malicious delegation executes instantly, making Relay appear to be the trigger.

  • Attackers often wait for higher-value deposits, so Relay transactions become the visible drain point.

Every case investigated has shown the wallet was already compromised before using Relay.

How To Protect Yourself

  • Never sign delegation approvals from untrusted sources.

  • Always read signature prompts carefully.

  • Treat any unknown delegation as proof of compromise.

  • Move any assets to a fresh wallet with uncompromised keys.

  • Use https://eip7702.app to check if your wallets show delegations.

What To Do If You Suspect a Malicious Delegation

  1. Stop using the wallet immediately.

  2. Transfer any recoverable assets to a secure new wallet.

  3. Do not rely on revoking the delegation—the wallet should be treated as unsafe.

  4. Review other wallets you control at https://eip7702.app for delegations.

  5. If the drain happened after a Relay transaction, contact Relay support with your wallet address and transaction hash so we can confirm what occurred.

What Relay Is Doing

Even though these scams are not caused by Relay, we are:

  • Building detection for wallets with suspicious EIP-7702 delegations.

  • Adding warnings before users complete swaps or bridges into compromised wallets.

  • Exploring additional safeguards against related attack vectors.

Summary

EIP-7702 delegations are powerful but risky. If abused, they allow attackers to drain wallets instantly. Unknown delegations should be treated as evidence of a fully compromised wallet, not as something to simply revoke. Relay is not the cause of these scams, but we are committed to helping users detect and avoid them. The best defense is caution: never sign what you don’t understand, and if you find an unknown delegation, abandon that wallet and move to a secure one.

Did this answer your question?