Threat model

Threat Model

/+---------------------+             +----------------------+
|     User Wallet     |  Grants     |    Session Key       |
+---------------------+  -------->  +----------------------+
       (private)                        (ephemeral, scoped)

Threat vectors:

Compromised session keys
Overbroad permissions (unscoped delegation)
Replay attacks or race conditions

Mitigation:

Allow only specific method selectors
Set TTL (time-to-live) on delegation
Use nonces and hash commitments in signed payloads

Previous▸ EIP-7702 Session Key Risks NextSession revocation mechanism

Last updated 1 month ago