As Ethereum’s Pectra upgrade gets closer, Alchemy’s Will Hennessy talks about why EIP-7702 isn’t for beginners and what blockchain developers need to be aware of.
Ethereum developers have announced that the highly anticipated Pectra upgrade will launch on April 8. The update will introduce new mechanisms aimed at boosting Ethereum’s transaction processing speed, reducing gas fees, and adding smart accounts that can execute multiple transactions simultaneously and even pay gas fees with different cryptocurrencies.
While the update is set to go live on the mainnet in April, it has already been rolled out on Ethereum’s Holesky testnet, though the rollout faced some challenges, including issues with transaction finality and unexpected delays in account abstraction functionality.
Crypto.news spoke with Will Hennessy, product manager at blockchain infrastructure company Alchemy, to explore whether the upgrade brings any hidden threats and why he believes EIP-7702, a key part of Pectra, isn’t suitable for beginners and what wallet providers need to know before implementing it.
CN: Ethereum eventually wants every wallet to work like a smart contract, and the 2025 Pectra upgrade (EIP-7702) seems to play a big step in that direction, as it’ll let regular wallets run smart contract code without needing a full account overhaul. But wouldn’t that update make it easier for bad actors to disguise malicious smart contracts as regular EOAs?
WH: EIP-7702 doesn’t actually make it easier to disguise malicious contracts. Here’s why:
The delegation mechanism requires explicit user authorization — nothing happens automatically or without user awareness. The EOA owner must actively choose to delegate control to a smart contract through a specific signature. This delegation is permanent until explicitly revoked.
What’s important to understand is that the EOA’s private key retains full control and can override smart account behavior. This is actually a safety feature — if a user discovers they’ve delegated to a malicious contract, they can always use their EOA’s private key to revoke the delegation.
This is why we don’t recommend EIP-7702 for new users — it’s better for them to start with pure smart accounts that allow for safer key rotation and multi-sig policies that can’t be bypassed. EIP-7702 is most valuable for upgrading existing EOA wallets that already have assets or history, giving them access to smart contract features in a controlled way.
For wallet providers, we recommend implementing clear security measures:
- Visual indicators when users bypass smart account security.
- Automated reputation checks for delegate contracts.
- Chain-specific warnings when delegation states differ across networks.
So, while EIP-7702 adds new capabilities to EOAs, it includes security considerations in its design and maintains user control through explicit authorization and revocation options. The goal isn’t to make it easier to run arbitrary code — it’s to enable existing wallets to access smart contract features safely.
CN: Could EIP-7702 lead to an increase in phishing scams, given that EOAs can now execute smart contract logic?
WH: While EIP-7702 adds new functionality to EOAs, it doesn’t inherently increase phishing risk. The key point is that executing smart contract logic still requires explicit authorization from the EOA owner.
Think of it like adding account recovery to your email — it adds new functionality but doesn’t make your account more vulnerable. In fact, EIP-7702 can help make wallets more secure by enabling better security features like:
- Session keys for limited-time authorizations.
- Social recovery options.
- More sophisticated transaction validation.
- The ability to set spending limits and other safety controls.
Users maintain full control through their EOA’s private key, which can override or revoke any delegated functionality. This means if a user identifies malicious behavior, they can immediately revoke access.
That said, wallet providers need to implement proper security measures:
- Clear user interfaces showing when smart contract features are being used.
- Strong verification of delegate contracts.
- Easy-to-understand delegation management.
- Clear warnings when users are taking actions that bypass smart account security.
For users with existing EOA wallets who want these features, the upgrade path through EIP-7702 is actually easier than alternatives like creating new smart contract wallets and transferring all assets over. The key is proper implementation by wallet providers and clear user education about how these new features work.
CN: Should we expect blockchain providers like Alchemy — or even wallets — to step up with protections against these kinds of attacks?
WH: Yes, security is our absolute top priority. Our smart accounts have been thoroughly audited, and we’ve been securing critical infrastructure for the Ethereum ecosystem for over 7 years. We’ll continue to maintain the same rigorous security standards as we support EIP-7702 adoption.
We’re already helping apps prepare for this transition with EIP-7702 support in Account Kit, our smart wallet toolkit.
CN: Why has it taken Ethereum so long to bring account abstraction to life?
WH: The journey to account abstraction in Ethereum has been methodical for a good reason. Modifying how accounts work at the protocol level requires extreme care since it affects every user and application on the network.
Early attempts at account abstraction proposed more radical changes to Ethereum’s core architecture. These proposals would have required major modifications to the Ethereum Virtual Machine itself, which carried significant technical risk and implementation complexity.
Instead, the ecosystem took a stepwise approach. First came ERC-4337, which enabled smart contract accounts — essentially working around the need for deep protocol changes. This let the community test and refine account abstraction concepts in production.
Now with EIP-7702, we’re seeing a more elegant solution that builds on those learnings. Rather than completely restructuring how accounts work, it enables EOAs to delegate capabilities to smart contracts while maintaining backwards compatibility. This preserves the security properties users trust while unlocking new functionality.
Each step has required extensive testing, security audits, and community consensus. When you’re dealing with a network securing hundreds of billions in value, this measured approach to fundamental change is crucial. The goal has been to expand wallet capabilities without compromising Ethereum’s core security and reliability.
What we’re seeing now isn’t just account abstraction finally arriving — it’s account abstraction done right, informed by years of research, testing, and real-world experience.
