Summary: More and more startups and large corporations are diving into smart accounts and delegated permissions. But you know what they say--every delegation brings some added operational risk. This guide has got your back with effective key rotation and recovery strategies for ERC‑4337 smart accounts and post‑Pectra EIP‑7702 EOAs. Inside, you’ll discover detailed transaction patterns, module choices, monitoring signals, and handy runbooks that you can put into action this quarter.

De-risking Delegation: Key Rotation and Recovery Strategies for Smart Accounts

Decision-makers are often thrilled about the perks that delegation can offer: seamless one-click user experiences, automated processes, tight spend control, helpful bots, and those convenient device-native passkeys. But here’s the thing: once you delegate authority--whether it's via a module, a plug-in, a session key, a paymaster, or (now) EIP-7702--you also invite a whole new set of potential issues.

In this post, I’m diving into the rotation and recovery patterns we’ve been using at 7Block Labs. I’ll link them up with what actually went live in 2025 (Pectra/EIP-7702) and the current production AA stacks, which include ERC-4337, ERC-6900 modules, Safe, and Kernel. You can take a look here: (blog.ethereum.org).

---

What changed in 2025: 7702 adds native, temporary delegation for EOAs

• On May 7, 2025 (epoch 364,032), Ethereum launched the Pectra upgrade, which includes EIP‑7702, aka “Set Code for EOAs.” This cool upgrade brings in a new Type‑4 transaction that lets an Externally Owned Account (EOA) temporarily connect with existing contract code via an authorization list. After using it, the EOA can switch back. It’s a handy feature that allows for batching, gas sponsorship, and some limited “sub‑keys” without having to commit to a smart contract wallet permanently. For more details, take a look here: (info.etherscan.com)
• Here’s the scoop on the transaction details--perfect for keeping your security policies and tools in check:
  • Transaction type: 0x04
  • New field: authorization_list = [[chain_id, address, nonce, y_parity, r, s], ...]
  • Revocation: If you need to reset delegation, just delegate to the null address.
  • Cost constants (check this out): PER_AUTH_BASE_COST=12500; PER_EMPTY_ACCOUNT_COST=25000
  • Signature domain: secp256k1 over keccak256(0x04 || RLP payload) (eips.ethereum.org)

The main point to remember is that you’re now balancing two types of delegation: smart accounts (ERC‑4337) and EOAs (7702). So, you'll want to make sure your rotation and recovery plans cover both of these. For more info, take a look here.

---

The delegation threat model (and where teams get burned)

Risk usually hangs out at the fringes, where “less-trusted” keys get the green light to do “limited” things. If we dive into production audits and incidents, we can easily identify these categories:

• Session Key Drift: Every now and then, you might run into the issue where temporary keys hang around longer than they should, or maybe their scopes are just overly broad--think missing target/selector/gas/spend caps. If you want to dive deeper into this topic, check it out here.
• Module Misconfiguration: You could face some challenges with Safe modules or guards that have bypass paths, or with upgradeable plug-ins that don't have timelocks and quorum set up. For all the nitty-gritty details, take a look here.
• Paymaster Exposure: Watch out! Token-gas paymasters might get wiped out if their rate limits are too lenient, whitelists aren't set up, or if they're relying on sketchy price oracles. You can check out more details here.
• Bundler Fragmentation: Watch out for problems with private queues or simulations that don't quite hit the mark, particularly if ERC-7562 isn't being enforced. This can open the door to DoS attacks or other unexpected results. To dive deeper into this, check it out here.
• 7702 Replay/Over-Scope: Keep an eye out for authorizations that have chain_id=0 (these are valid across all chains) or nonces that are reused. These issues could increase the attack surface and make it tricky to manage revocation timing. You can find more details here.

The rest of this guide will dive into some effective rotation and recovery strategies that are designed to tackle these failure modes directly.

---

Rotation and recovery, by account model

A) ERC‑4337 smart accounts (Safe, Kernel, Modular/6900)

Foundations:

• Alright, so ERC‑4337 UserOperations are chilling in a special alt‑mempool. What’s really neat is that validation is defined by the wallet, and execution goes down through EntryPoint.handleOps. Bundlers are also in the mix, ensuring that the simulation rules (take a look at ERC‑7562) and reputation systems are properly followed. Just a quick note: make sure your rotation/change events can be simulated and comply with the op‑code/storage rules. (eips.ethereum.org)
• Modular accounts (ERC‑6900) give you the flexibility to add validation and execution plug-ins. So, when it's time to rotate keys, you typically just update the validator state instead of going through the hassle of redeploying the entire account. Check it out at (erc6900.io).

Concrete Rotation Patterns We Ship:

Check out some of the rotation patterns we have for shipping:

• Standard Rotation: This is our favorite go-to pattern--it's straightforward and works like a charm for most projects.
• Custom Rotation: Looking for something one-of-a-kind? We can whip up a rotation pattern that's made just for you.
• Randomized Rotation: If you're after a more natural vibe, this option adds a charming touch of unpredictability.
• Sector Rotation: This one's great for bigger spaces! It splits the area into different sectors, giving it a lively look.
• Mirror Rotation: Achieve that perfect symmetry in your designs using this chic feature.
• Diagonal Rotation: Give your concrete a cool twist--literally! Rotating it diagonally can create a striking effect that really stands out.

Don’t hesitate to get in touch if you have any questions or if you need a hand picking the perfect pattern for your project!

1) Safe Owner Rotation (No Downtime)

• Managing Safe owners just got a whole lot easier thanks to Safe’s owner manager functions and deterministic eventing:
  • You can handle operations like addOwnerWithThreshold, swapOwner, changeThreshold, and removeOwner as atomic transactions. And the best part? They trigger some useful events like AddedOwner, RemovedOwner, and ChangedThreshold that you can monitor. For more details, take a look at the docs.
• Here’s a handy runbook to help you navigate the process:
  • Stage: Start off with addOwnerWithThreshold(new, same_threshold) and don’t forget to double-check that EIP‑1271 signatures are still up and running.
  • Cutover: Time to make the switch! Use swapOwner(prev, old, new) to keep everything neat and tidy--just a heads-up, since Safe stores owner info in a linked list, you’ll want to get the prevOwner just right. For more details, check it out here.
  • Harden: If you’re feeling adventurous, you can raise the threshold before finally bidding farewell to the old owner after a 24-hour watch period (and don’t forget to peek at the alerting section below!).
• Note: Just a heads up--there are some important formal verification notes and threshold race issues to keep in mind. It's a good idea to follow the order of “add owner → changeThreshold (increase) → remove old” so you don’t accidentally lower the threshold. If you want to dive deeper into this, take a look at the GitHub page.

2) Kernel (ZeroDev) Kill-Switch and Guardian-Assisted Recovery

• Kernel’s got your back with validators like KillSwitchValidator. This nifty tool lets you hit pause and switch out the owner whenever you need to, thanks to guardian authority. There’s even a pausedUntil window that helps you manage any ongoing attacks. Think of it as your handy “freeze and rotate” circuit breaker. Want to learn more? Check it out here: v3-docs.zerodev.app

3) Social Recovery Modules

• First off, set up a social recovery module that’s specifically designed to tweak validator settings--like adding or removing owners and adjusting the threshold--without letting any random transfers slip through. It’s smart to use 2-3 independent guardians from different devices or organizations, and be sure to implement an m-of-n requirement. When it comes to recovery for consumers, you’ll want to avoid zero timelocks; for enterprise solutions, we recommend a minimum of 24 hours. If you're curious for more details, check this out: docs.rhinestone.dev.
• If you’re leaning towards Safe, there are some great community-driven implementations and services out there, like Candide’s recovery module. Don’t forget to add a grace period and set up a notification channel for updates. You can find more info here: docs.candide.dev.

4) Spend/Rate Control Modules to Buy Time

• The Safe's Allowance/Spending Limit feature is super handy because it allows you to set daily or weekly limits for your spenders. If you pair this with a Delay/Timelock (thanks to the Zodiac Delay Modifier), you’ll have a little buffer to cancel any surprise transactions. This approach has been put to the test in real-world scenarios--just take a look at Gnosis Pay, which makes great use of Delay + Roles. Want to dive deeper? Check it out here!

5) Guardrails on DelegateCalls

• Safe’s Guardrail pattern is a clever method to handle delegatecall targets. Basically, it creates an allowlist for these targets and introduces a time delay for any updates to that list. This setup helps steer clear of problems like “arbitrary multisend via malicious library” bugs. You can easily get this rolling with setModuleGuard. For more info, take a look at the full scoop over at (safe.global).

6) Passkey Rotation in Smart Accounts

• If you’re diving into WebAuthn passkeys, it’s smart to go with chains that back the P‑256 precompile. This is mainly because of the RIP‑7212 footprint that’s pretty common across most major L2s. On top of that, EIP‑7951 is making waves by potentially bringing mainnet support along with some fixes. You should definitely check out Coinbase’s smart wallet--it's a solid example of how they handle both passkey owners and ECDSA owners, and it also demonstrates how to manage cross‑chain replayable owner updates. When you’re crafting your user experience for rotations, think about updating new chains only when they’re first put to use. Want to dig deeper into the nitty-gritty? Check it out here: (ethereum-magicians.org).

7) Bundler/Paymaster Hygiene for Rotation Ops

• When you're configuring bundlers, it’s super important to follow ERC‑7562 and display error codes (big shoutout to EIP‑7769) to catch any hiccups with rotation flows right from the start. Pimlico really nails both of these aspects. Plus, remember to only introduce a verifying or ERC‑20 paymaster after you’ve set up rate limits and allowlists. (eips.ethereum.org)

B) EOAs via EIP‑7702 (post‑Pectra)

7702 Brings Native, Revocable Delegation Into Focus for Your Rotation Policy:

• Authorizations are essentially tuples that get signed with the EOA key, and they’re tied to a specific chain_id and nonce. Just a quick tip: try to avoid using chain_id=0 in enterprise scenarios--choosing per-chain authorization is a safer bet to prevent any unwelcome cross-chain surprises. It’s also a good idea to change your authorizations frequently and absolutely never reuse nonces. (ethereum.org)
• Revocation is actually quite simple: all you need to do is send a Type-4 transaction that directs the authorization to the null address. It’s a smart idea to have a pre-signed revocation ready to go (and keep it offline) when you’re adding new delegates to the mix. (ethereum.org)

Minimal Type‑4 Example (Viem‑Style)

Here’s a really straightforward example of a Type-4 implementation using Viem. This code snippet covers the essentials you’ll need to dive in.

import { createClient } from 'viem';

const client = createClient({
  url: 'https://YOUR-API-ENDPOINT.com/graphql',
  // Include any necessary headers or authentication here
});

// An example query to fetch some data
const exampleQuery = `
  query {
    users {
      id
      name
      email
    }
  }
`;

async function fetchData() {
  try {
    const response = await client.query(exampleQuery);
    console.log('Fetched data:', response.data);
  } catch (error) {
    console.error('Error fetching data:', error);
  }
}

fetchData();

Simply plug in your API endpoint, and you're all set! Enjoy coding!

// Pseudocode: sign and send a 7702 “set code” tx to delegate EOA to a smart account
const authorization = await walletClient.signAuthorization({
  contractAddress: "0xYourSmartAccountImpl", // code target
  executor: "self" // executing in EOA context
});
await walletClient.sendTransaction({
  type: 'eip7702',
  to: eoaAddress,               // destination cannot be null
  data: "0x",                   // optional call
  authorizationList: [authorization],
  chainId,
  gas: 250_000
});
// To revoke later: signAuthorization({ contractAddress: zeroAddress }) and send again.

Operational tip: Make sure you’re keeping tabs on authorizations for every chain and update them regularly. Treat each one like it’s a crucial change request that requires a reviewer’s thumbs-up. For more info, check out the details here.

---

Session keys you won’t regret later

Session keys are often the starting point for what we like to call “delegation sprawl.” You can think of them as being similar to API tokens, but not in the way you would approach things for ownership.

What Good Looks Like: Alchemy's Session Key Plugin Sets the Bar

When we're talking about plugins, Alchemy's Session Key plugin is definitely a standout. Let’s dive into what makes it so impressive and why it sets such a high bar for the rest.

Key Features

• User-Friendly Interface: The design is sleek and super easy to use. Even if you’re not a tech whiz, you'll find your way around without any headaches.
• Robust Security: We take security seriously here. The plugin uses strong encryption methods to keep your session data safe and sound.
• Effortless Integration: It works well with different platforms and doesn’t need a ton of adjustments to get started.
• Real-Time Analytics: You can get insights and keep an eye on sessions as they happen. This feature really helps you understand how users behave.
• Customizable Options: Make the plugin fit your unique needs. You’ll have lots of options to personalize it just the way you like.

Why It Stands Out

Alchemy's Session Key plugin really goes above and beyond. It not only gets the job done but also offers a seamless user experience and outstanding security features. On top of that, the customization options allow you to tweak it to fit your specific setup effortlessly.

Conclusion

If you’re searching for a reliable session management tool, you should definitely check out Alchemy's Session Key plugin. It's really raising the bar for plugins, offering a mix of efficiency, security, and ease of use that’s hard to beat.

Take a look at it here.

• Time limits: validAfter/validUntil
• Allowlists/denylists for addresses and selectors
• Spending limits for native tokens and ERC‑20 tokens (total and interval refresh)
• Gas limit and optional rate limiting
• Key rotation that doesn’t need a change in the policy envelope

If your session-key framework isn't up to the task, you shouldn't even consider shipping it. Instead, opt for ERC‑6900/7579-compatible modules like SessionKeyPlugin or SmartSession. These options help maintain consistency across various account vendors. You can learn more about it here: (alchemy.com)

---

Recovery building blocks (that actually get used)

• Social guardians: Try to have around 3 to 5 guardians from different backgrounds. This could include things like one HSM/enterprise key, one hardware wallet, one partner organization, and one consumer passkey. It’s a good idea to set a threshold of at least 2, and don't forget to add an on-chain delay for wrapping up transactions in consumer situations. Plus, it's super important to help users understand what a guardian actually does--like they can change ownership but can't spend any funds. For the full scoop, check it out here.
• Delay modifier in front of modules: Consider this your safety net! You’ve got choices like queue, cooldown, and execute that let you “hit the brakes” on anything that seems fishy. It’s a smart idea to always have a documented and tested emergency “skip nonce” sequence ready to go. For more details, check it out on GitHub.
• Budget/allowance modules for teams: Set up separate sub-allowances for various departments that automatically reset at natural intervals, like monthly or quarterly. These funds will be held in escrow from a main pool. This arrangement minimizes the risk if a downstream delegate happens to get compromised. To dive deeper, check it out here.
• Counterfactual signatures during migration: If you’re moving to a counterfactual setup, make sure to use ERC-6492. This helps with off-chain verification recognizing the new signer before you go live. It's especially handy when migrating accounts or when you're doing those “sign-in with wallet” processes. For all the technical nitty-gritty, check it out here.

---

Concrete rotation runbooks you can adopt

1) Key compromise on a production Safe (ERC‑4337 or multisig)

• Freeze
  • If you're in Kernel mode: just hit pause on the KillSwitchValidator. But if you're in Safe mode, act fast! Raise the threshold (if it's an option for you) and activate a Guard to stop any unknown delegate calls. Check it out here: (hackmd.io)
• Contain
  • Go ahead and turn off those session-key plug-ins and don’t forget to lift spending caps for any delegates that aren’t super important.
  • You should also disable verifying or ERC-20 paymasters. An easy way to do this is to just set paymaster_whitelist = {} to cut off any gas sponsorship. (github.com)
• Rotate
  • Kick things off with addOwnerWithThreshold(newOwner, threshold+1). Next, make the swap using swapOwner(prev, old, new). After that, set the threshold back to where it should be, and wrap it up by calling removeOwner(prevOfOld, old, threshold). (docs.safe.global)
• Recover
  • Re-issue those session keys using a templated policy that’s time-boxed and scoped. After that, go ahead and re-enable the paymaster, but this time with a limited policy.
• Verify
  • Watch for AddedOwner/RemovedOwner/ChangedThreshold events, along with EntryPoint UserOperation events. Don’t forget to cross-check them with your change ticket! You can find more info here: (docs.safe.global)

2) Session key suspected leak (gaming bot, subscriptions)

• You can either turn off the module or remove the key from its storage.
• Issue a new key with the following settings:
  • validUntil ≤ 7 days, target allowlist = {app contracts}, selectors = {needed methods}, and set daily ERC‑20 and gas limits.
• Just to be on the safe side, make sure to add an ERC‑20 per-address allowance in Safe Spending Limits for the session executor. For more details, check this out here.

3) 7702 delegate gone bad (EOA)

• If you need to fire the delegate, just go ahead and send a revocation Type‑4 transaction (delegation → null). Make sure you’ve got a pre-funded hot path ready to roll so you can still make this happen even if your main setup is down.
• Switch it up with a fresh delegate address that’s been audited, and stick to chain-specific authorizations only.
• Once everything’s in place, set up a 24-hour timelock for any new delegates as part of your internal policy (since 7702 doesn’t come with a timelock on its own). (ethereum.org)

---

Monitoring and alerting (ship these dashboards)

Minimum Viable Signals:

Minimum Viable Signals (MVS)

Minimum Viable Signals (MVS) are the key indicators that help you quickly figure out if a project or idea has what it takes to succeed. You can think of them as your essential metrics that guide you in making smart decisions without drowning in a flood of data. Let’s dive into what MVS can really do for you:

Why MVS Matters

In a world where we’re constantly bombarded with information, having a set of MVS can really simplify your decision-making process. These signals give you a clear picture of whether your project is heading in the right direction, saving you both time and resources along the way.

Key Components of MVS

Here are some key elements that contribute to effective Minimum Viable Signals:

• Relevance: Pick signals that really connect to your goals. They need to provide insights that actually matter to you.
• Simplicity: Keep it simple! Go for metrics that are easy to understand and interpret.
• Actionability: Make sure your signals lead you to clear next steps. If they’re not pointing you in the right direction, they might not be worth your time.

Examples of MVS

• User Engagement: It's super important to monitor how much your users are interacting with your product. If engagement is high, that's a good sign you're heading in the right direction.
• Conversion Rates: Make sure to track how many users are actually doing what you want them to do. If those numbers aren't looking great, it might be time to shake things up a bit.
• Customer Feedback: Pay attention to what your customers are telling you. Their insights can be really helpful in figuring out if your product is hitting the mark.

Conclusion

Minimum Viable Signals are all about cutting through the clutter and zeroing in on what really counts. By focusing on these key indicators, you can make better decisions and guide your project to success. If you're eager to learn more about MVS, take a look at this resource.

• Safe events: Good news! We’ve rolled out AddedOwner, RemovedOwner, and ChangedThreshold features! You can now enable or disable the module and tweak the guards as needed. And remember, you'll get alerts for any action taken outside of a Change Advisory Board (CAB) window. Want to dive deeper? Check it out here: docs.safe.global.
• ERC‑4337:
  • Check out the simulation validation failure rates sorted by class, which covers signature, paymaster, and initCode.
  • We're also keeping an eye on the handleOps success compared to failedOp ratios, and don’t forget about inclusion latency.
  • Plus, you won't want to miss the ERC‑7562 throttling and bans by entity, such as paymaster or factory. For more details, take a look here: docs.erc4337.io.
• Paymaster drains: Let’s take a closer look at how token balances stack up against sponsorship rates. We’ve also got off-chain policy denials lined up with on-chain validations. Check out all the details right here: docs.pimlico.io.
• 7702 authorizations: Make sure to monitor the inventory for each chain, check when things were last used, and look out for any entries that are still hanging around and haven’t been revoked. For more details, check out ethereum.org.

---

Implementation snippets

Safe owner rotation (TypeScript, Protocol Kit)

import { Safe } from '@safe-global/protocol-kit'

// add new owner, keep threshold
const addTx = await safe.createAddOwnerTx({ ownerAddress: NEW, threshold: CURRENT })
await safe.executeTransaction(addTx)

// optional: raise threshold temporarily
const inc = await safe.createChangeThresholdTx({ threshold: CURRENT + 1 })
await safe.executeTransaction(inc)

// swap old→new (atomic index fix)
const swap = await safe.createSwapOwnerTx({ prevOwner, oldOwner: OLD, newOwner: NEW })
await safe.executeTransaction(swap)

// lower back threshold
const dec = await safe.createChangeThresholdTx({ threshold: CURRENT })
await safe.executeTransaction(dec)

// finally, remove OLD
const rm = await safe.createRemoveOwnerTx({ ownerAddress: OLD, newThreshold: CURRENT })
await safe.executeTransaction(rm)

Events to Keep an Eye On: AddedOwner, RemovedOwner, ChangedThreshold. You can find all the details here.

Kernel kill‑switch enablement (concept)

// Guardian flips paused and sets new owner for the Kernel account
guardian.rotateOwner(newOwner);
guardian.pauseUntil(block.timestamp + 1 days);

Design Considerations

In this setup, we're diving into a guardianship model that works separately from the owner. When the pause flag gets flipped on, the validator will focus on checking the guardian path first. If you want to dig deeper, feel free to check out the complete design document here.

Session key with tight scope (ERC‑6900 plugin)

await sessionKeyPlugin.addKey({
  pubkey: SESSION_PUBKEY,
  validAfter: now,
  validUntil: now + 7*24*3600,
  allow: {
    addresses: [DEX_ROUTER, USDC, MY_APP],
    selectors: ['0x095ea7b3' /*approve*/, '0x12aa3caf' /*swap*/],
  },
  caps: {
    nativeDaily: parseEther('0.01'),
    erc20Daily: [{ token: USDC, cap: 200_00 }], // $200
    gasDaily: 1_000_000
  }
})

Switch up your key every week but keep your policy constants nice and smooth. This approach keeps everything easy on the wallet. For more info, take a look at alchemy.com.

EIP‑7702: delegate and revoke (Viem examples)

// delegate EOA → Simple7702Account
const auth = await walletClient.signAuthorization({ contractAddress: ACCOUNT_IMPL, executor: 'self' })
await walletClient.sendTransaction({ type: 'eip7702', to: eoa, data: '0x', authorizationList: [auth] })

// ... later: revoke
const revoke = await walletClient.signAuthorization({ contractAddress: '0x0000000000000000000000000000000000000000' })
await walletClient.sendTransaction({ type: 'eip7702', to: eoa, authorizationList: [revoke] })

Make sure to define your authorizations for each chain, and just a quick reminder: avoid using chain_id=0 in any enterprise production settings. If you want to dive deeper into this topic, take a look at eip7702.io for more info!

---

Passkeys and rotation, pragmatically

• Layer 2 solutions are now introducing P‑256 verification precompiles, thanks to the RIP‑7212 lineage. This is an exciting development since it sets the stage for WebAuthn passkeys, especially for those using smart accounts. If you're monitoring the mainnet, be sure to pay attention to EIP‑7951, which focuses on securing P‑256. It's a good idea to keep an eye on its status before making any assumptions about Layer 1 availability. When you’re planning your setup, try to prioritize Layer 2 first, and then you can back-port everything to Layer 1 once it’s all standardized. (eip.info)
• The Coinbase Smart Wallet is flexing its muscles with the ability to juggle mixed owner sets, seamlessly blending secp256k1 EOAs and secp256r1 passkeys. On top of that, it's got this cool feature for cross-chain replayable owner updates. Basically, you can “sign once and update across many chains,” making everything a lot smoother! Just a heads-up: don't forget to log your success for each chain because you'll still need those on-chain writes for the first use. Check it out here: (github.com)

---

Emerging best practices (use this as your internal checklist)

Policy and Design

• It's crucial to understand the difference between owners and delegates. Owners can change from time to time and typically need a quorum or a timelock to make that happen. On the other hand, delegates--such as session keys and modules--are swapped out more regularly, but they come with tighter limitations.
• When it comes to the 7702 update, you can think of each authorization like a change request: it needs to be specific to each chain, have a unique nonce, include a plan for offline revocation, and you should definitely have a cool-off period in your operations process. For more info, take a look at this link.
• If you're transitioning signers to counterfactual accounts, make sure to utilize ERC-6492. This means off-chain verifiers should be prepared to accept pre-deploy signatures. For more details, check it out here.

Controls and Modules

• Make sure you team up Spending Limits with a Delay module on any Safe that's managing funds for your operations; it's like having a safety net in place. You can find all the specifics here.
• Installing a Guard to keep those delegatecalls in check and setting up a timelocked allowlist process is a slick idea. For more details, check it out here.
• You should definitely check out those ERC‑6900/7579‑compatible session‑key modules. They’re a great way to avoid getting stuck with a single vendor and help keep your policy semantics nice and portable. Want to dive deeper? Find more info here.

Infrastructure

• Don’t limit yourself to a single bundler. It’s a good idea to work with at least two providers that comply with ERC-7562. Be sure to monitor the differences between simulateValidation and on-chain variance. (eips.ethereum.org)
• When it comes to sponsoring gas, start by implementing per-address allowlists and enforce strict rate limits on your paymaster. And don't forget--default-deny anything else! Check out the details here: (docs.pimlico.io)

Monitoring and Response

• Make sure to keep an eye out for any changes to owners, guardians, or guards, along with when modules get turned on or off. These events can be considered security issues and should definitely be reviewed by a human.
• Keep tabs on any failures tied to ERC‑4337 and stay alert for any reputation warnings. If you notice your plugins frequently triggering GREP or STO rule hits, that’s a sign they might not be cooperating well with simulation constraints and could get censored by bundlers. You can find more details on this here.

---

Where we see teams over‑ or under‑rotating (and how to right‑size)

• Over-rotation of owners: This can cause quorum fatigue and raises the chances of unexpected changes. Solution: We should focus on keeping the owners steady while switching out the delegates (session keys) more often.
• Under-rotation of session keys: Every so often, session keys linger way longer than they should--sometimes for months! Solution: Let's make it a point to add an expiration date in the issuance templates. Ideally, we shouldn't let them hang around for more than 7 days, and we definitely need to enforce renewal.
• 7702 mis-scoping: Relying on chain_id=0 “just for convenience” isn’t exactly the smartest move. Solution: We should stick to per-chain authorizations and keep an emergency revocation packet in a separate ops account. For more details, check out ethereum.org.

---

Action plan you can execute this quarter

• Week 1: Inventory
  • Take a moment to jot down every delegate surface you’ve got: session keys, modules, guards, paymasters, and whatever 7702 authorizations are in play. Don’t forget to sort them out by their scope and expiry!
• Week 2: Control Install
  • Alright, it’s time to boost our security game this week! Let’s roll out those Safe Spending Limits and set up a Delay--plus, don’t skip on adding a delegatecall Guard. And hey, remember to migrate those session keys over to the ERC‑6900/7579 modules with the time, address, selector, and spend caps. If you need a little more info, check out the details here.
• Week 3: Rotation Pipelines
  • It’s scripting time! Dive into creating scripts for Safe owner rotation, whip up some Kernel kill-switch playbooks, and get your 7702 delegate+revoke templates ready. And hey, don’t forget to pre-sign those revocation packets!
• Week 4: Monitoring
  • Alright, let’s dive into some monitoring! Set up dashboards to track Safe owner events, keep an eye on those 7702 authorizations across various chains, watch out for ERC‑4337 simulateValidation failure classes, and monitor paymaster balances along with rejection rates. If you need more details, check it out here.

If you’re in need of a new perspective, 7Block Labs has got your back! We're ready to dive into your module graph, assist with writing or reviewing guards, and even roll out those runbooks we talked about, no matter what stack you’re using--be it Safe, Kernel, Pimlico, Alchemy, or Coinbase Smart Wallet.

---

References and implementation notes

• Take a look at the EIP‑7702 specification for all the specifics on authorization_list and revocation (Type‑4). There's also some useful info over at ethereum.org. You can jump in here.
• Hey Pectra fans! Check out the activation details and timelines right from the Ethereum Foundation blog, Etherscan, and The Block. You can get all the info you need here.
• Curious about ERC‑4337? It dives into the core and bundler operations, while ERC‑7562 takes care of validation rules and reputation. You can find all the details you need here.
• If you’re diving into ERC‑6900 modules, checking out session key plugins, or exploring SmartSession (ERC‑7579), you can find all the details at erc6900.io.
• If you’re getting started with safe modules and guards, such as Spending Limits and Guardrail, make sure you check out the Zodiac Delay features. You can find all the info you need here.
• Alright, let’s dive into Passkeys on L2s from the RIP‑7212 lineage and EIP‑7951. If you’re interested in the Coinbase Smart Wallet passkey/owner model, you can join the conversation here.
• Last but definitely not least, ERC‑6492 dives into counterfactual signature validation for migrations. If you're curious to learn more, check it out here.

---

7Block Labs: Key Management and Delegation for Smart Accounts

At 7Block Labs, we’re all about crafting and auditing high-quality key management and delegation systems for your smart accounts. If you’re ready to dive into a 2-week implementation sprint, we can help get those key rotations and recovery processes rolling. We’ll tailor the modules, guards, and runbooks to match your specific chain setup and infrastructure perfectly.