From 843f35c2a2f15ccda2c7075ee8817e31e187fbc7 Mon Sep 17 00:00:00 2001
From: lightclient <14004106+lightclient@users.noreply.github.com>
Date: Mon, 12 Aug 2024 17:16:42 -0400
Subject: [PATCH] Update EIP-7702: add more security considerations (#8776)

7702: add more security considerations
---
 EIPS/eip-7702.md | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/EIPS/eip-7702.md b/EIPS/eip-7702.md
index e270cc31ece26..086da297339f2 100644
--- a/EIPS/eip-7702.md
+++ b/EIPS/eip-7702.md
@@ -197,10 +197,24 @@ Allowing the sender of an EIP-7702 to also set code has the possibility to:
 
 The authors of this EIP believe the risks of allowing this are acceptable for the reasons outlined in the Rationale section.
 
-### Sponsored Transaction Relayers
+### Sponsored transaction relayers
 
 It is possible for the `authorized` account to cause sponsored transaction relayers to spend gas without being reimbursed by either invalidating the authorization (i.e. increasing the account's nonce) or by sweeping the relevant assets out of the account. Relayers should be designed with these cases in mind, possibly by requiring a bond to be deposited or by implementing a reputation system.
 
+### Front running initialization
+
+Smart contract wallet developers must consider the implications of setting code in an account without execution. Contracts are normally deployed by executing initcode to determine the exact code to be placed in the account. This gives developers the opportunity to initialize storage slots at the same time. The initial values of the account cannot be replaced by an observer, because they are either signed over by an EOA in the case of a creation transaction or they are committed to by computing the contract's address deterministically from the hash of the initcode.
+
+This EIP does not provide developers the opportunity to run initcode and set storage slots during delegation. To secure the account from an observer front-running the initialization of the delegation with an account they control, smart contract wallet developers must verify the initial calldata to the account for setup purposes be signed by the EOA's key using ecrecover. This ensures the account can only be initialized with desirable values.
+
+### Transaction propagation
+
+Allowing EOAs to behave as smart contracts via the delegation designation poses some challenges for transaction propagation. Traditionally, EOAs have only be able to send value via a transaction. This invariant allows nodes to statically determine the validity of transactions for that account. In other words, a single transaction has only been able to invalidate transactions pending from the senders account.
+
+With this EIP, it becomes possible to cause transactions from other accounts to become stale. This is due to the fact that once an EOA has delegated to code, that code can be called by anyone at any point in a transaction. It becomes impossible to know if the balance of the account has been sweeped in a static manner.
+
+While there are a few mitigations for this, the authors recommend that clients do not accept more than one pending transaction for any EOA with a non-zero delegation designator. This minimizes the number of transactions that can be invalidated by a single transaction. Another alternative would be to expand the EIP-7702 transaction with a list of accounts the caller wishes to "hydrate" during the transaction. Those accounts behave as the delegated code *only* for EIP-7702 transactions which include them in such a list, thus returning to clients the ability to statically analyze and reason about pending transactions.
+
 ## Copyright
 
 Copyright and related rights waived via [CC0](../LICENSE.md).