While EIP-7702 brings new convenience, it also introduces new risks. Our Research team found that over 97% of all EIP-7702 delegations were authorized to multiple contracts using the same exact code. These are sweepers, used to automatically drain incoming ETH from compromised addresses.
More insights from our @Dune dashboard ↓
What’s the “Crime” tag in our dashboard?
These are mostly delegate contracts designed to auto-sweep funds from EOAs with leaked private keys.
We highlighted this pattern in our original post, based on behavior seen across authorizations from compromised addresses.
At that time, the bytecode was not verified. Now, we’ve reversed the EVM bytecode into Solidity and published a verified version called CrimeEnjoyor.
Why verify it?
Because verified code makes intent visible. We no longer need to infer malicious behavior from transaction patterns or metadata.
This lets us:
Show exactly what the malicious contract does
Add a public warning
Clearly label it for other users
The CrimeEnjoyor contract is short, simple, and widely reused. This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations.
It’s funny, bleak, and fascinating at the same time.
It also reinforces a key point: New primitives like EIP-7702 expand what is possible, but without verification, labeling, and transparency tools, it becomes harder to tell infrastructure from exploitation, especially for new users.
New updates to our dashboard
We’ve added labels for delegate contracts used by:
@TrustWallet
Porto by @ithacaxyz
@thirdweb
v1 of @Uniswap Calibur
@FireblocksHQ
and more crime-tagged contracts
With more compromised contracts tagged, more activity can be surfaced and more users can be protected.
You can now also explore detailed activity analysis of EIP-7702 - The generated text has been blocked by our content filters.