EIP-7702 API 📜🚀

🇧🇷 Português | 🇺🇸 English

---

Português

Uma implementação completa do EIP-7702 (Set Code for EOAs) em Go, demonstrando:

• ✅ Delegação segura de EOAs para Smart Contracts
• ✅ Transações patrocinadas (sponsor paga gas, signer executa)
• ✅ Multicall (múltiplas operações em uma transação)
• ✅ Validações de segurança conforme especificação EIP-7702

🔧 Setup Rápido

git clone https://github.com/omnes-tech/eip-7702-go
cd eip7702-demo

# Criar .env
echo 'RPC_URL=https://holesky.infura.io/v3/YOUR_KEY' > .env

# Rodar
go run .

A API estará em http://localhost:8080

📋 Contratos Deployados (Holesky)

Contrato	Endereço	Função
Token ERC20	0x93d77bE58A977350B924C0694242b075eB26AEdE	Token de teste para mint/transfer
SimpleDelegateContract	0x1f0F9d7e19991e7E296630DC0073610f23CF066a	Contrato que executa as operações

🛣️ Rotas da API

📋 Informações

GET /contracts

Retorna endereços dos contratos e chain ID.

curl http://localhost:8080/contracts

Resposta:

{
  "token_contract": "0x93d77bE58A977350B924C0694242b075eB26AEdE",
  "simple_delegate_contract": "0x1f0F9d7e19991e7E296630DC0073610f23CF066a",
  "chain_id": 17000
}

---

🔧 Build Call Data (Helpers)

POST /build-call/mint

Constrói call data para mint de tokens.

curl -X POST http://localhost:8080/build-call/mint \
  -H "Content-Type: application/json" \
  -d '{
    "recipient": "0x253180Be159557D4A708F008A55bC2aB4570c8D3",
    "amount": "1000"
  }'

Resposta:

{
  "call_data": "0xc6c3bbe600000000000000000000000093d77be58a977350b924c0694242b075eb26aede000000000000000000000000253180be159557d4a708f008a55bc2ab4570c8d300000000000000000000000000000000000000000000003635c9adc5dea00000"
}

POST /build-call/transfer

Constrói call data para transfer de tokens.

curl -X POST http://localhost:8080/build-call/transfer \
  -H "Content-Type: application/json" \
  -d '{
    "recipient": "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
    "amount": "500"
  }'

POST /build-call/send-eth

Constrói call data para envio de ETH.

curl -X POST http://localhost:8080/build-call/send-eth \
  -H "Content-Type: application/json" \
  -d '{
    "recipient": "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
    "amount": "0.1"
  }'

POST /build-call/generic

Constrói call data para qualquer função.

curl -X POST http://localhost:8080/build-call/generic \
  -H "Content-Type: application/json" \
  -d '{
    "function_signature": "approve(address,uint256)",
    "parameters": ["0x8BEC2524bf186318e97107D75C2F05aA5C260486", "1000000000000000000"]
  }'

---

🔐 Autorização

POST /authorize

Cria uma autorização EIP-7702 (não envia transação).

curl -X POST http://localhost:8080/authorize \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "pk_exemplo_signer_substitua_por_sua_chave_privada",
    "contract_address": "0x1f0F9d7e19991e7E296630DC0073610f23CF066a"
  }'

Resposta:

{
  "chain_id": 17000,
  "address": "0x1f0F9d7e19991e7E296630DC0073610f23CF066a",
  "nonce": 475,
  "v": 0,
  "r": "0xa7e1004f87df4cb7bbdebc9127e75b53d667a4dfefb0eafe366a92ebea531faa",
  "s": "0x15be9024bfb412a266a6488224c2599d385a814fe696fff2dcc59f3e6a661ff6",
  "signer": "0x5bb7dd6a6eb4a440d6c70e1165243190295e290b",
  "created_at": 1703123456
}

---

🚀 Execução Patrocinada

POST /sponsor-mint ⭐

Fluxo completo: Autoriza + Minta tokens + Envia transação.

curl -X POST http://localhost:8080/sponsor-mint \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "pk_exemplo_signer_substitua_por_sua_chave_privada",
    "sponsor_pk": "pk_exemplo_sponsor_substitua_por_sua_chave_privada",
    "recipient": "0x253180Be159557D4A708F008A55bC2aB4570c8D3",
    "amount": "1000"
  }'

#example tx: txhash-mint

Resposta:

{
  "tx_hash": "0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef"
}

POST /sponsor-transfer ⭐

Transfer de tokens patrocinado.

curl -X POST http://localhost:8080/sponsor-transfer \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "pk_exemplo_signer_substitua_por_sua_chave_privada",
    "sponsor_pk": "pk_exemplo_sponsor_substitua_por_sua_chave_privada",
    "recipient": "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
    "amount": "500"
  }'

#example tx: txhash-transfer

POST /sponsor-eth ⭐

Envio de ETH patrocinado.

curl -X POST http://localhost:8080/sponsor-eth \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "pk_exemplo_signer_substitua_por_sua_chave_privada",
    "sponsor_pk": "pk_exemplo_sponsor_substitua_por_sua_chave_privada",
    "recipient": "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
    "amount": "0.01"
  }'

POST /sponsor-generic - com execute ⭐

Envio de ETH patrocinado com execute.

curl -X POST http://localhost:8080/sponsor-generic \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "pk_exemplo_signer_substitua_por_sua_chave_privada",
    "sponsor_pk": "pk_exemplo_sponsor_substitua_por_sua_chave_privada",
    "contract_address": "0x59Dc1134ff843D6F7686632195928504433edb60",
    "function_signature": "execute((bytes,address,uint256)[])",
    "parameters": [
      [
        {
          "data": "0x",
          "to": "0x8BEC2524bf186318e97107D75C2F05aA5C260486", 
          "value": "10000000000000000"
        }
      ]
    ]
  }'

#example tx: txhash-execute

sponsor-generic ✅

# Para mint via SimpleDelegateContract
curl -X POST http://localhost:8080/sponsor-generic \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "pk_exemplo_signer_substitua_por_sua_chave_privada",
    "sponsor_pk": "pk_exemplo_sponsor_substitua_por_sua_chave_privada",
    "contract_address": "0x59Dc1134ff843D6F7686632195928504433edb60",
    "function_signature": "mint(address,address,uint256)",
    "parameters": [
      "0x93d77bE58A977350B924C0694242b075eB26AEdE",
      "0x253180Be159557D4A708F008A55bC2aB4570c8D3", 
      "2000000000000000000000"
    ]
  }'

# Para transfer via SimpleDelegateContract  
curl -X POST http://localhost:8080/sponsor-generic \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "pk_exemplo_signer_substitua_por_sua_chave_privada",
    "sponsor_pk": "pk_exemplo_sponsor_substitua_por_sua_chave_privada",
    "contract_address": "0x59Dc1134ff843D6F7686632195928504433edb60",
    "function_signature": "transfer(address,address,uint256)",
    "parameters": [
      "0x93d77bE58A977350B924C0694242b075eB26AEdE",
      "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
      "1000000000000000000000"
    ]
  }'

POST /sponsor (Avançado)

Usando autorização pré-criada + calls customizadas.

curl -X POST http://localhost:8080/sponsor \
  -H "Content-Type: application/json" \
  -d '{
    "authorization": {
      "chain_id": 17000,
      "address": "0x1f0F9d7e19991e7E296630DC0073610f23CF066a",
      "nonce": 475,
      "v": 1,
      "r": [203,99,67,12,120,123,26,201,160,247,181,111,117,174,159,255,60,167,7,209,4,175,71,110,142,216,156,243,236,144,44,19],
      "s": [77,180,155,10,29,165,2,247,178,69,206,180,89,181,71,243,154,59,118,235,129,159,28,250,206,112,114,196,249,215,61,198],
      "signer": "0x253180be159557d4a708f008a55bc2ab4570c8d3"
    },
    "sponsor_pk": "pk_exemplo_sponsor_substitua_por_sua_chave_privada",
    "calls": [
      {
        "to": "0x93d77bE58A977350B924C0694242b075eB26AEdE",
        "data": "0xc6c3bbe600000000000000000000000093d77be58a977350b924c0694242b075eb26aede000000000000000000000000253180be159557d4a708f008a55bc2ab4570c8d300000000000000000000000000000000000000000000003635c9adc5dea00000",
        "value": "0"
      }
    ]
  }'

---

🔒 Validações de Segurança EIP-7702

Implementadas:

• ✅ Replay Protection: Nonce correto obrigatório
• ✅ Chain ID: Proteção cross-chain
• ✅ Value Verification: Limite máximo de valor
• ✅ Gas Verification: Cálculo automático baseado em calls
• ✅ Target/Calldata: Validação de contratos conhecidos
• ✅ Timeout: Autorizações expiram em 5 minutos

Proteções contra Sponsors Maliciosos:

• ✅ Verificação de gas price
• ✅ Limite de valor total
• ✅ Validação de nonce em tempo real
• ✅ Lista de contratos confiáveis apenas

---

🔬 Como Verificar no Explorer

1. Copie o tx_hash retornado
2. Acesse: https://holesky.etherscan.io/tx/SEU_TX_HASH
3. Verifique:
   • From: Sponsor (quem pagou gas)
   • To: Signer/Authority (quem executou)
   • Type: SetCode (0x4) - indica EIP-7702
   • Logs: Evento Transfer/Mint no token

---

🎯 Casos de Uso

1. Onboarding Sem Friction

# Usuario cria wallet nova (sem ETH)
# Empresa patrocina gas para mint de tokens de boas-vindas
curl -X POST http://localhost:8080/sponsor-mint \
  -d '{"signer_pk":"NEW_USER_PK", "sponsor_pk":"COMPANY_PK", "recipient":"NEW_USER_ADDR", "amount":"100"}'

2. Gasless DeFi

# Usuario quer fazer swap mas não tem ETH para gas
# DApp patrocina a approve + swap
curl -X POST http://localhost:8080/sponsor-generic \
  -d '{"function_signature":"approve(address,uint256)", "parameters":["0xSwapContract","1000000000000000000"]}'

3. Social Recovery

# Usuario perdeu acesso mas tem guardians
# Guardian patrocina recuperação
curl -X POST http://localhost:8080/sponsor-transfer \
  -d '{"signer_pk":"GUARDIAN_PK", "sponsor_pk":"GUARDIAN_PK", "recipient":"NEW_WALLET", "amount":"ALL_BALANCE"}'

---

⚠️ Considerações de Produção

1. Não Expor Chaves Privadas

• Use MetaMask/WalletConnect no frontend
• Implemente AWS KMS ou Hardware Security Modules
• Use Gelato Network ou Biconomy para relaying

2. Rate Limiting

// Implementar rate limiting por endereço
type RateLimiter struct {
    requests map[common.Address][]time.Time
    limit    int // max requests per minute
}

3. Monitoring

// Logs detalhados para auditoria
log.Printf("EIP-7702 Execution: signer=%s sponsor=%s tx=%s", 
    auth.Signer.Hex(), sponsor.Hex(), tx.Hash().Hex())

---

🚀 Próximos Passos

1. Implementar frontend com MetaMask
2. Integrar com Gelato para relaying production
3. Adicionar batch operations mais complexas
4. Implementar social recovery completo
5. Criar SDK JavaScript para desenvolvedores

---

English

A complete EIP-7702 (Set Code for EOAs) implementation in Go, demonstrating:

• ✅ Secure delegation of EOAs to Smart Contracts
• ✅ Sponsored transactions (sponsor pays gas, signer executes)
• ✅ Multicall (multiple operations in one transaction)
• ✅ Security validations according to EIP-7702 specification

🔧 Quick Setup

git clone https://github.com/omnes-tech/eip-7702-go
cd eip7702-demo

# Create .env
echo 'RPC_URL=https://holesky.infura.io/v3/YOUR_KEY' > .env

# Run
go run .

API will be available at http://localhost:8080

📋 Deployed Contracts (Holesky)

Contract	Address	Function
ERC20 Token	0x93d77bE58A977350B924C0694242b075eB26AEdE	Test token for mint/transfer
SimpleDelegateContract	0x1f0F9d7e19991e7E296630DC0073610f23CF066a	Contract that executes operations

🛣️ API Routes

📋 Information

GET /contracts

Returns contract addresses and chain ID.

curl http://localhost:8080/contracts

Response:

{
  "token_contract": "0x93d77bE58A977350B924C0694242b075eB26AEdE",
  "simple_delegate_contract": "0x1f0F9d7e19991e7E296630DC0073610f23CF066a",
  "chain_id": 17000
}

---

🔧 Build Call Data (Helpers)

POST /build-call/mint

Builds call data for token minting.

curl -X POST http://localhost:8080/build-call/mint \
  -H "Content-Type: application/json" \
  -d '{
    "recipient": "0x253180Be159557D4A708F008A55bC2aB4570c8D3",
    "amount": "1000"
  }'

Response:

{
  "call_data": "0xc6c3bbe600000000000000000000000093d77be58a977350b924c0694242b075eb26aede000000000000000000000000253180be159557d4a708f008a55bc2ab4570c8d300000000000000000000000000000000000000000000003635c9adc5dea00000"
}

POST /build-call/transfer

Builds call data for token transfer.

curl -X POST http://localhost:8080/build-call/transfer \
  -H "Content-Type: application/json" \
  -d '{
    "recipient": "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
    "amount": "500"
  }'

POST /build-call/send-eth

Builds call data for ETH sending.

curl -X POST http://localhost:8080/build-call/send-eth \
  -H "Content-Type: application/json" \
  -d '{
    "recipient": "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
    "amount": "0.1"
  }'

POST /build-call/generic

Builds call data for any function.

curl -X POST http://localhost:8080/build-call/generic \
  -H "Content-Type: application/json" \
  -d '{
    "function_signature": "approve(address,uint256)",
    "parameters": ["0x8BEC2524bf186318e97107D75C2F05aA5C260486", "1000000000000000000"]
  }'

---

🔐 Authorization

POST /authorize

Creates an EIP-7702 authorization (doesn't send transaction).

curl -X POST http://localhost:8080/authorize \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "example_signer_pk_replace_with_your_private_key",
    "contract_address": "0x1f0F9d7e19991e7E296630DC0073610f23CF066a"
  }'

Response:

{
  "chain_id": 17000,
  "address": "0x1f0F9d7e19991e7E296630DC0073610f23CF066a",
  "nonce": 475,
  "v": 0,
  "r": "0xa7e1004f87df4cb7bbdebc9127e75b53d667a4dfefb0eafe366a92ebea531faa",
  "s": "0x15be9024bfb412a266a6488224c2599d385a814fe696fff2dcc59f3e6a661ff6",
  "signer": "0x5bb7dd6a6eb4a440d6c70e1165243190295e290b",
  "created_at": 1703123456
}

---

🚀 Sponsored Execution

POST /sponsor-mint ⭐

Complete flow: Authorize + Mint tokens + Send transaction.

curl -X POST http://localhost:8080/sponsor-mint \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "example_signer_pk_replace_with_your_private_key",
    "sponsor_pk": "example_sponsor_pk_replace_with_your_private_key",
    "recipient": "0x253180Be159557D4A708F008A55bC2aB4570c8D3",
    "amount": "1000"
  }'

#example tx: txhash-mint

POST /sponsor-transfer ⭐

Sponsored token transfer.

curl -X POST http://localhost:8080/sponsor-transfer \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "example_signer_pk_replace_with_your_private_key",
    "sponsor_pk": "example_sponsor_pk_replace_with_your_private_key",
    "recipient": "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
    "amount": "500"
  }'

#example tx: txhash-transfer

POST /sponsor-eth ⭐

Sponsored ETH sending.

curl -X POST http://localhost:8080/sponsor-eth \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "example_signer_pk_replace_with_your_private_key",
    "sponsor_pk": "example_sponsor_pk_replace_with_your_private_key",
    "recipient": "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
    "amount": "0.01"
  }'

POST /sponsor-generic - with execute ⭐

Sponsored ETH sending with execute.

curl -X POST http://localhost:8080/sponsor-generic \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "example_signer_pk_replace_with_your_private_key",
    "sponsor_pk": "example_sponsor_pk_replace_with_your_private_key",
    "contract_address": "0x59Dc1134ff843D6F7686632195928504433edb60",
    "function_signature": "execute((bytes,address,uint256)[])",
    "parameters": [
      [
        {
          "data": "0x",
          "to": "0x8BEC2524bf186318e97107D75C2F05aA5C260486", 
          "value": "10000000000000000"
        }
      ]
    ]
  }'

#example tx: txhash-execute

sponsor-generic ✅

# For mint via SimpleDelegateContract
curl -X POST http://localhost:8080/sponsor-generic \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "example_signer_pk_replace_with_your_private_key",
    "sponsor_pk": "example_sponsor_pk_replace_with_your_private_key",
    "contract_address": "0x59Dc1134ff843D6F7686632195928504433edb60",
    "function_signature": "mint(address,address,uint256)",
    "parameters": [
      "0x93d77bE58A977350B924C0694242b075eB26AEdE",
      "0x253180Be159557D4A708F008A55bC2aB4570c8D3", 
      "2000000000000000000000"
    ]
  }'

# For transfer via SimpleDelegateContract  
curl -X POST http://localhost:8080/sponsor-generic \
  -H "Content-Type: application/json" \
  -d '{
    "signer_pk": "example_signer_pk_replace_with_your_private_key",
    "sponsor_pk": "example_sponsor_pk_replace_with_your_private_key",
    "contract_address": "0x59Dc1134ff843D6F7686632195928504433edb60",
    "function_signature": "transfer(address,address,uint256)",
    "parameters": [
      "0x93d77bE58A977350B924C0694242b075eB26AEdE",
      "0x8BEC2524bf186318e97107D75C2F05aA5C260486",
      "1000000000000000000000"
    ]
  }'

POST /sponsor (Advanced)

Using pre-created authorization + custom calls.

curl -X POST http://localhost:8080/sponsor \
  -H "Content-Type: application/json" \
  -d '{
    "authorization": {
      "chain_id": 17000,
      "address": "0x1f0F9d7e19991e7E296630DC0073610f23CF066a",
      "nonce": 475,
      "v": 1,
      "r": [203,99,67,12,120,123,26,201,160,247,181,111,117,174,159,255,60,167,7,209,4,175,71,110,142,216,156,243,236,144,44,19],
      "s": [77,180,155,10,29,165,2,247,178,69,206,180,89,181,71,243,154,59,118,235,129,159,28,250,206,112,114,196,249,215,61,198],
      "signer": "0x253180be159557d4a708f008a55bc2ab4570c8d3"
    },
    "sponsor_pk": "example_sponsor_pk_replace_with_your_private_key",
    "calls": [
      {
        "to": "0x93d77bE58A977350B924C0694242b075eB26AEdE",
        "data": "0xc6c3bbe600000000000000000000000093d77be58a977350b924c0694242b075eb26aede000000000000000000000000253180be159557d4a708f008a55bc2ab4570c8d300000000000000000000000000000000000000000000003635c9adc5dea00000",
        "value": "0"
      }
    ]
  }'

---

🔒 EIP-7702 Security Validations

Implemented:

• ✅ Replay Protection: Correct nonce required
• ✅ Chain ID: Cross-chain protection
• ✅ Value Verification: Maximum value limit
• ✅ Gas Verification: Automatic calculation based on calls
• ✅ Target/Calldata: Known contracts validation
• ✅ Timeout: Authorizations expire in 5 minutes

Protections against Malicious Sponsors:

• ✅ Gas price verification
• ✅ Total value limit
• ✅ Real-time nonce validation
• ✅ Trusted contracts list only

---

🔬 How to Verify on Explorer

1. Copy the returned tx_hash
2. Visit: https://holesky.etherscan.io/tx/YOUR_TX_HASH
3. Verify:
   • From: Sponsor (who paid gas)
   • To: Signer/Authority (who executed)
   • Type: SetCode (0x4) - indicates EIP-7702
   • Logs: Transfer/Mint event in token

---

🎯 Use Cases

1. Frictionless Onboarding

# User creates new wallet (no ETH)
# Company sponsors gas for welcome token mint
curl -X POST http://localhost:8080/sponsor-mint \
  -d '{"signer_pk":"NEW_USER_PK", "sponsor_pk":"COMPANY_PK", "recipient":"NEW_USER_ADDR", "amount":"100"}'

2. Gasless DeFi

# User wants to swap but has no ETH for gas
# DApp sponsors approve + swap
curl -X POST http://localhost:8080/sponsor-generic \
  -d '{"function_signature":"approve(address,uint256)", "parameters":["0xSwapContract","1000000000000000000"]}'

3. Social Recovery

# User lost access but has guardians
# Guardian sponsors recovery
curl -X POST http://localhost:8080/sponsor-transfer \
  -d '{"signer_pk":"GUARDIAN_PK", "sponsor_pk":"GUARDIAN_PK", "recipient":"NEW_WALLET", "amount":"ALL_BALANCE"}'

---

⚠️ Production Considerations

1. Don't Expose Private Keys

• Use MetaMask/WalletConnect in frontend
• Implement AWS KMS or Hardware Security Modules
• Use Gelato Network or Biconomy for relaying

2. Rate Limiting

// Implement rate limiting per address
type RateLimiter struct {
    requests map[common.Address][]time.Time
    limit    int // max requests per minute
}

3. Monitoring

// Detailed logs for auditing
log.Printf("EIP-7702 Execution: signer=%s sponsor=%s tx=%s", 
    auth.Signer.Hex(), sponsor.Hex(), tx.Hash().Hex())

---

🚀 Next Steps

1. Implement frontend with MetaMask
2. Integrate with Gelato for production relaying
3. Add more complex batch operations
4. Implement complete social recovery
5. Create JavaScript SDK for developers

---

Happy EIP-7702 Hacking! 🎉