Pectra’s EIP-7702: Redefining Trust Assumptions of Externally Owned Accounts (EOAs) in EVM

This advisory explains how EIP-7702 (Pectra) lets EOAs set delegated bytecode, invalidating common EVM assumptions (e.g., tx.origin == msg.sender and extcodesize-based EOA detection) and enabling new attack vectors such as reentrancy, flash-loan/atomic sandwich bypasses, and unexpected token/ETH transfer reverts; CertiK observed suspicious BSC transactions leveraging these changes, the report provides PoCs and recommends replacing tx.origin checks, using reentrancy guards/CEI patterns, and assuming any address may have code.