Ethereum’s latest upgrade, Pectra, introduced smart account functionality for regular wallets via EIP-7702 — spawning a wave of online panic. Critics claim it lets hackers drain wallets with a single signature, but the truth is more nuanced. Here’s what 7702 actually does, and how to stay safe.

— Macauley

Permissionless IV is hitting Brooklyn on June 24-26. Tix are $499 — but refer 5 friends to the 0xResearch newsletter and score a free Permissionless ticket. Scroll down to grab your code.

“Hyperliquid”:

Hyperliquid has zero ongoing points or incentive programs. Yet, the perps DEX continues to lead the market, with a dominant 71% market share of all perps trading volumes.

Even Bloomberg is discussing Hyperliquid now. Can Hyperliquid be stopped?

In the last seven days, Hyperliquid saw $54b in trading volumes ($52.7b in perps and $1.3b in spot). That translates to $10.8m in weekly trading fees, 93% of which goes to its “assistance fund” to conduct HYPE token buybacks — a move that Drift is similarly planning to implement. HYPE buybacks contributed to a daily average of $1.38m in buying pressure, according to steven.hl.

Hyperliquid has a comfortable lead in DeFi, but still has a ways to go against CEX perps. According to HyperDash, Hyperliquid has ~14.5% market share against Binance Futures’ 51.4% and Bybit’s 34.1%.

For a detailed valuation projection for HYPE, see Blockworks Research’s report by Boccacio.

— Donovan Choy

0xResearch Arena: It's Going Down at Permissionless IV

We're bringing the signal to Brooklyn — with a side of chaos.

Hosted by the 0xResearch crew and Blockworks Research analysts, this space is where the smartest minds in crypto go head-to-head in live debates, blitz chess, pull-up challenges, and the occasional dunk tank.

High traffic. High energy. No takes left untested.

Think you’ve got alpha? Come prove it. 

📅 June 24–26 | Brooklyn, NY

Debunking EIP-7702 panic

A Solidity developer friend of mine reached out on Signal the other day in a tizzy. “I can’t believe this,” he wrote. “How did Ethereum developers let this happen?”

He was referring to a recent article worrying about Ethereum’s Pectra upgrade — specifically EIP-7702 — and its supposed ability to let hackers “drain wallets with just an offchain signature.” The piece has been bandied about on X/Twitter, it seems, though not by people I follow. Fears were clearly being stoked in some circles that a new transaction type quietly enabled attackers to seize control of wallets without an onchain transaction or even a user’s knowledge.

But like many things in crypto, the reality is both more nuanced — and less dramatic.

Ethereum’s recent Pectra upgrade, activated on May 7, introduced a powerful mechanism that enables externally owned accounts (EOAs) to temporarily act like smart accounts. But the rollout has been accompanied by breathless claims that it exposes users to some insane new risk.

Those headlines are misleading. While EIP-7702 could introduce a new attack surface for phishing, it doesn’t bypass wallet signatures or allow unauthorized access per se. Instead, it signs a special message for the temporary superpowers. But if that message falls into the wrong hands, someone else could take control — as if handing over a private key to your wallet for a single session.

Sounds dangerous, and it can be, but only if a user is tricked into signing a malicious delegation. It’s not a protocol failure, but something for wallet software publishers to take account of.

Security researchers and wallets responded proactively to 7702. For example, alongside support for the feature, Ambire and Trust Wallet released patches or warnings. Wallets that don’t yet support 7702 are not suddenly made insecure. But confusion spread with viral tweets claiming EIP-7702 made hardware wallets “no longer safe,” for example.

Will Hennessy, a product manager at Alchemy, strongly pushed back on that narrative:

“It’s a non-issue for end users,” he told Blockworks. “No wallet supports signing arbitrary delegations, nor is there a wallet RPC for a dapp to request an arbitrary delegation signature.”

He’s right…today. Mainstream wallets like MetaMask and Ledger don’t expose a method for signing EIP-7702 authorization tuples — the term for the one-time-use permission slip, signed by the wallet owner.

But that’s beginning to change. Embedded wallet SDKs — including Alchemy’s own Account Kit — already include a method called signAuthorization that creates valid EIP-7702 signatures. These products can bypass the EIP-1193 standard entirely by bundling their own provider. As wallets begin to natively support smart accounts, this functionality will likely spread.

“The article describes signing a message with a wallet from a malicious website,” Hennessy added, “but it is not possible for any website to request an EIP-7702 delegation signature from an external wallet.”

Keep an eye on this threat vector. Just as existing standards have been exploited in “blind signing” attacks, the same could happen with EIP-7702 if wallet UX isn’t explicit about what the user is delegating and to whom.

TL;DR — the criticism of 7702 as an “auto-drain” threat is exaggerated. There is no magical backdoor, and attackers still need your signature. But the phishing risk is there if wallets don’t clearly show the contract, nonce and scope of a delegation.

So, don’t sign opaque 32-byte hex strings, people. Favor wallets that flag EIP-7702 requests and simulate the delegated contract. Pectra opens the door to powerful smart account features, but remember, with great power…

— Macauley Peterson

YO yield optimizer launches:

New yield farming protocol YO launched this week.

The Paradigm-backed YO (yield optimizer) has all the trappings of what’s needed for a successful yield aggregator to work in 2025.

It’s non-custodial.

YO abstracts away the complexities of multichain bridging and the need for users to understand how major DeFi primitives like Morpho and Pendle work.

It automatically rebalances your capital to offer you the best risk-adjusted yields, so you know your money probably isn’t ending up in some LP farm for a low-cap shitcoin. 

YO’s risk ratings are backed by Exponential.Fi, a team that’s worked for some time in the DeFi risk space. Exponential’s risk frameworks is what underpins DefiLlama’s yield farming pages. They’re an experienced team that understands the myriad of DeFi risks including asset death spirals, oracle and governance risks, chain staking concentration, etc.

The only place that I think YO falls short is that its APYs still fundamentally rely on “existing yields.” For instance, Turtle Club, another yield farming protocol, offers exclusive “boosted” yields through collective bargaining arrangements with protocols (that typically comes in points). But that is fundamentally a BD, not technological game.

YO has accumulated $15m in deposits — about $8m more since I first checked on its launch date four days ago.

— Donovan Choy