EIP-7702 Delegation Checker

Is your EOA silently delegated to a smart contract? Paste any Ethereum address and find out — plus flag known phishing/sweeper delegates.

About this tool

EIP-7702 shipped on Ethereum mainnet with the Pectra upgrade in May 2025. It lets an externally owned account (EOA) install code — turning your regular wallet into something that behaves like a smart contract account, without changing your address. It's the biggest change to how EOAs work since Ethereum launched.

Everything runs through a single signed authorization tuple. One signature installs code that persists on your account until you replace it. That power is what enables gas sponsorship, batched transactions, and passkey wallets. It's also what makes the phishing category dangerous in a new way: one wrong signature and every future call to your EOA runs attacker-supplied code.

This tool answers the direct question: is a given address currently delegated under EIP-7702, and to what? Paste an address, it reads the on-chain code, detects the 23-byte 0xef0100 delegation indicator, extracts the delegate contract, and cross-references it against Wintermute Research's hand-curated categorization of EIP-7702 delegate contracts on Dune — surfacing whether the delegate is a legitimate wallet vendor (MetaMask, Bitget, Alchemy, Trust Wallet, and others) or a Wintermute-tagged sweeper contract.

Currently in phase 1 — the address checker. Phase 2 will add the raw authorization tuple decoder (paste [chain_id, address, nonce, y_parity, r, s], see what a wallet is about to sign, recover the EOA who would be delegated).

Open source. Runs against public Ethereum RPC. No signup, no tracking.

Frequently Asked Questions

What is EIP-7702, in one paragraph?+

A transaction type (0x04) that lets an EOA install code on itself by signing a small authorization tuple: [chain_id, address, nonce, y_parity, r, s]. Once processed, your account's code field is set to the 23-byte value 0xef0100 || delegate_address. When anyone calls your account after that, the EVM follows that pointer and runs the delegate's code inside your account — your storage, your balance, your nonce. This is what enables gas sponsorship, batched transactions, and passkey wallets, and it's also the mechanism behind a new class of phishing sweepers.

What does 0xef0100 mean, and why those specific bytes?+

It's the delegation indicator — the fixed 3-byte prefix that identifies a code field as an EIP-7702 delegation rather than a normal deployed contract. 0xef is the specific opcode banned by EIP-3541 (contracts can't start with 0xef through normal deployment), so the presence of that first byte is an unambiguous signal that the code was installed via a set-code transaction. 0x0100 is a version identifier. The remaining 20 bytes after the prefix are the delegate contract's address.

How does one signature install persistent code?+

The user signs a hash: keccak256(0x05 ++ rlp([chain_id, address, nonce])). The 0x05 byte is a domain separator — it guarantees this signature can't be replayed as any other kind of Ethereum message. A sponsor then submits a type-0x04 transaction containing that signature, and if it's valid the network writes 0xef0100 || delegate_address into the signer's code field. The delegation persists across transactions until the account owner signs a new authorization replacing it.

What is chainId = 0 and why is it dangerous?+

The chain_id field in an authorization tuple can be set to 0, which means 'valid on every EVM chain.' This is legitimately useful for wallets that want to upgrade across all chains with one signature. But it's the mechanism behind cross-chain replay attacks: a victim signs a chainId=0 tuple thinking it applies to one chain, and an attacker replays the same tuple on other chains where the signer has the same address (same nonce assumption), installing the malicious delegation everywhere at once. If a dApp asks you to sign a chainId=0 authorization, treat it with the same suspicion you'd give an unlimited token approval.

How do I un-delegate my account?+

Sign a new authorization tuple with the delegate address set to the zero address (0x0000000000000000000000000000000000000000). When that transaction is included, the delegation indicator is cleared and your account returns to plain EOA state — code field back to empty. Some wallets expose this as a 'reset' or 'remove smart account' option. Verify it worked by pasting your address here again after the reset transaction confirms.

What's a CrimeEnjoyor contract?+

CrimeEnjoyor is the informal name given to a family of minimal sweeper contracts that early phishing operations delegated victim EOAs to. The pattern was simple and identical across variants: a tiny bytecode that, when called, forwards all ETH and token balances to an attacker-controlled address. Because delegation is persistent, once a victim signed the authorization, every subsequent transaction to their account — including automated retries from wallet software — routed funds to the attacker. Multiple security firms tracked these variants in the first months after Pectra shipped, and estimates at the time suggested a large majority of early delegations pointed at addresses in this family.

Why does EXTCODESIZE on a delegated account only return 23?+

This is a subtle but important detail from the EIP. When another contract inspects your delegated account with EXTCODESIZE, it sees the size of the delegation indicator (23 bytes) — not the size of the delegate's actual code. But when your account's code runs (because someone called it), the CODESIZE opcode inside that execution returns the delegate's full code size. The asymmetry lets contracts detect that an address is a 7702-delegated EOA rather than a regular contract, without breaking the code-runs-with-the-account model. Some contracts use this to gate behavior on whether the caller is a plain EOA.

Can the same account be delegated to different contracts on different chains?+

Yes. Delegation state is per-chain (unless the original signature used chainId=0). Your Ethereum mainnet EOA can be delegated to one contract, your same address on Base delegated to a different one, and your Arbitrum address undelegated. This tool currently checks Ethereum mainnet; multi-chain support is on the roadmap for a later phase.

Is this tool safe to use with my address?+

Yes. The tool only does read operations — it calls getCode on an RPC endpoint, which is a public query that anyone can make against any address. No signature is ever requested, no wallet connection is needed, and no address is stored server-side. You're not authorizing anything by using this.

Why is my delegate showing 'unknown' instead of safe or malicious?+

The known-delegates list is curated and finite. When your delegate isn't in either the whitelist or the blocklist, the tool tells you honestly that it can't classify it. That's a signal to look up the delegate address on Etherscan, check whether the contract is verified, whether it's been publicly audited, and whether the wallet vendor you use has published it as their implementation. False confidence would be more dangerous than 'unknown.'

Data source

Delegate classifications are sourced from Wintermute Research's hand-curated categorization table on Dune Analytics (query 5145294). We sync nightly via GitHub Actions and treat their tags as flags, not verdicts. This tool currently knows about 134 delegate contracts.

Last synced: Tue, 14 Jul 2026 18:56:01 GMT

Explore more tools