EIP-7702’s delegation mechanism enables externally owned accounts (EOAs) to grant unconditional, persistent execution authority over themselves to arbitrary smart contracts via a single signature—introducing novel, persistent phishing attacks. Method: We conduct the first systematic analysis of its three triggering vectors (user-, attacker-, and protocol-driven), identify new attack surfaces—including ERC-4337 remote delegation reuse and cross-chain replay—and perform the first large-scale empirical study across multiple EVM-compatible chains. Our methodology integrates on-chain behavioral analysis, controlled experiments, multi-chain event tracing, and address/contract clustering, covering over 150,000 delegation and execution events. Contribution/Results: We empirically confirm highly centralized malicious adoption, resulting in substantial asset losses. We further propose deployable, protocol-level defenses, establishing foundational practical insights for securing account abstraction ecosystems.

EIP-7702 introduces a delegation-based authorization mechanism that allows an externally owned account (EOA) to authenticate a single authorization tuple, after which all subsequent calls are routed to arbitrary delegate code. We show that this design enables a qualitatively new class of phishing attacks: instead of deceiving users into signing individual transactions, an attacker can induce a victim to sign a single authorization tuple that grants unconditional and persistent execution control over the account. Through controlled experiments, we identify three reliable trigger pathways: user-driven, attacker-driven, and protocol-triggered. Each can lead to full account takeover and complete asset drainage. We further propose two extended attack surfaces. First, ERC-4337's EntryPoint pipeline enables remote and repeated activation of the delegated code without further victim involvement. Second, the chain-agnostic authorization mode permits replay-like compromises across independent networks. We also present the first empirical measurement of EIP-7702 usage across major EVM chains. Analyzing over 150k authorization and execution events involving 26k addresses and hundreds of delegator contracts, we assess the protocol's real-world footprint. Our findings show that EIP-7702 authorizations are highly centralized, dominated by a small number of contract families linked to criminal activity and repeatedly reused across incidents. Corresponding loss data reveals substantial theft of ETH, ERC-20 tokens, and NFTs. These results provide practical evidence that the attack surface we identify is not merely theoretical, but is already being exploited at scale. We conclude by proposing protocol-level defenses to mitigate the delegation-based phishing vector introduced by EIP-7702.