Intentionally flawed code with potential pitfalls in custom contracts for EIP-7702 delegate accounts.
Use this repository to learn about 7702 in a practical way. Tweak the contracts and tests, extend them, try out newer and more complex implementations. Whatever you want - except deploying them to prod.
Contracts increase in complexity. They're meant to be studied sequentially.
DelegateContractV0- Missing
receivefunction => can't receive ETH - Lack of access controls in execute => anyone can execute calls
- Missing
DelegateContractV1- Deceiving
constructor. Guardians are not set in the context of accounts delegating toDelegateContractV1.
- Deceiving
DelegateContractV2- Open initialization
- Can be reinitialized
DelegateContractV3andDelegateContractV3_1- Initialization signature too weak (e.g., replayable across contracts, chains)
DelegateContractV4- Storage collision between
pausedandinitif deployed as an upgrade of V3. Account may start paused and initialized.
- Storage collision between
DelegateContractV5- Lack of nonce management allows signature replays =>
oneTimeSendcan be used to drain the account.
- Lack of nonce management allows signature replays =>
DelegateContractV6- Anything bad here?
We might extend this repository with flawed cases of:
- Interactions with the ERC4337 entrypoint
- New signature schemes (such as WebAuthn)
- Standard batch execution interfaces (like EIP-7821)
- EIP-7702: set EOA account code
- EIP-7821: minimal batch executor interface
- github.com/ithacaxyz/odyssey-examples
- EIP-7702: a technical deep dive by lightclient
- ithaca.xyz/writings/exp-0001
- ithaca.xyz/writings/exp-0002
- github.com/ithacaxyz/account
- EIP-7702 with Scaffold-ETH 2
- Basic EOA Batch Executor by @optimizoor
All code in this repository is intentionally vulnerable and for educational purposes only. DO NOT USE IN PRODUCTION.