GoPlus: EIP-7702 has triggered multiple contract attacks recently, and it is recommended that the project team strengthen measures such as lightning loan attack protection

According to security agency GoPlus, several recent contract attack cases have utilized the EIP-7702 feature to bypass on chain security checks, including msg.sender==tx.origin and msg.sender==_owner, leading to issues such as lightning loan attacks and price manipulation, resulting in losses of nearly one million US dollars. Case analysis shows that attackers carry out attacks through malicious delegator authorization, affecting well-known DeFi projects such as QuickConverter @ QuickswapDEX and multiple CSM fund pools. The implementation of EIP-7702 enables EOA addresses to have smart contract capabilities, rendering traditional security logic ineffective. GoPlus suggests that the project team strengthen lightning loan attack protection and re-entry attack protection, restructure EOA inspection and permission management logic, and continuously monitor the delegator authorization status of administrator addresses to prevent potential risks.