pcaversaccio

you know, I'm a simple guy: I roll (mostly) with ETH, Tornado Cash, Railgun, BTC, Zcash, and XMR these days. I don't use L2s. I don't use Solana. I don't use fancy DeFi protocols (I like it KISS and trustless). Simply put: just tools that work and don't ask permission. It could've been simple but somewhere along the way, we chose to build a fragmented, bloated mess of chains instead. A monster of our own making.

One of the beauty of using EIP-7702 is that you can rescue all funds from a compromised wallet using a paymaster and a friendly delegator. There is _no need_ to send ETH to the compromised wallet at all! I decided this morning to write and open-source a fully-fledged Bash script that empowers anyone to run such rescues themselves. The flow of the script is basically:
- A paymaster account that covers gas fees and broadcasts all transactions (including the deployment of the friendly delegator).
- A victim account that signs the EIP-7702 authorisations.
- A friendly Vyper-based delegator contract `recoverooor` deployed for each rescue and protected by a trusted `OWNER` account (defaults to the paymaster account).
- A single script, `go_eip7702.sh`, that can batch recover all assets (you have a multicall possibility for any complex interactions needed, e.g. unstake and transfer).

I haven't fully tested everything so use with caution and use your brain as always please.

There is nothing I want more than for Ethereum to lead on privacy (scalability has always been a second priority for me tbh; not implying it's not important to be clear). Not conditional privacy. Unconditional. Long-term, I shouldn't need to interact with a smart contract just to shield a simple ETH transfer. Privacy should be native at the L1. Look, I've been using Monero & Zcash for some time already (on that note, please Ledger ship shielded addresses). I use them because their privacy is built-in & the UX is pretty smooth. That's exactly what I want from Ethereum. Simple, private, native payments. No extra steps. If we want to onboard people to privacy at a global scale, it must be native and easy. Full stop.

Seeing the first malicious EIP-7702 delegators being added to private key leaked victim addresses that revert on ETH transfers to prevent an "easy" rescue of locked funds. They first drain all the ETH and then authorise such a malicious delegator contract with a permissioned drain function. To rescue any remaining (locked) funds you need to selfdestruct send into the EOA first now.