EIP-7702 Broke Your tx.origin Check: How Ethereum's Pectra Upgrade Created a New Class of Account Confusion Vulnerabilities

On May 7, 2025, Ethereum's Pectra upgrade went live. Among 11 EIPs, one change quietly invalidated a security assumption that thousands of deployed contracts rely on: EIP-7702 made EOAs capable of executing smart contract code. The result? Every contract that uses tx.origin == msg.sender as a "is this a real user?" check is now bypassable. And the blast radius extends far beyond that single pattern — into reentrancy guards, gas sponsorship flows, and the entire mental model of what an "account" means on Ethereum. This article breaks down the concrete attack vectors, shows vulnerable code patterns with fixes, and explains why this isn't just a theoretical concern — it's actively exploitable on mainnet today. The Old World: EOAs vs. Contracts Before Pectra, Ethereum had a clean separation: EOAs (Externally Owned Accounts): Controlled by private keys. Can initiate transactions. Cannot execute arbitrary code. Contract accounts: Have code. Can execute logic. Cannot initiate transactions ind