Feat/7702 5792 support

[lwin-kyaw]

Motivation and Context

Jira Link:

Description

How has this been tested?

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.
• My code requires a db migration.

---

Note

Medium Risk
Touches transaction formatting/signing and provider initialization behavior; mistakes could lead to invalid tx serialization or new runtime throws for previously-null provider/chain states.

Overview
Adds EIP-7702 and EIP-5792 JSON-RPC support to @web3auth/no-modal by introducing new middlewares (eip7702Middleware, eip5792Middleware) and wiring them into EthereumSigningProvider’s RPC engine.

Transaction handling is extended to support EIP-7702 setCode (type 0x4) by preserving tx type in TransactionFormatter, signing authorizationList entries during MPC signing, and adding a shared createGetEthCode helper for controller-driven validation. Provider getters now throw providerErrors when uninitialized/missing chain instead of returning null, and @toruslabs/ethereum-controllers is bumped to ^8.17.0 with corresponding lockfile updates.

^{Written by Cursor Bugbot for commit f92091b. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Error		Feb 19, 2026 0:57am

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

[cursor]

Missing barrel export for eip7702Middleware module

Medium Severity

The rpc/index.ts barrel file re-exports eip5792Middleware but not eip7702Middleware. In EthereumSigningProvider.ts, createEip5792Middleware is imported through the barrel (from "../../../ethereum-provider"), while createEip7702Middleware requires a direct file path import (from "../../../ethereum-provider/rpc/eip7702Middleware"). This inconsistency means other providers that need EIP-7702 middleware can't discover it through the standard barrel export.

 

[cursor]

createGetEthCode ignores chainId causing cross-chain misqueries

Medium Severity

createGetEthCode silently ignores the _chainId parameter, always querying eth_getCode against the currently connected chain. In eip7702Middleware, getAccountUpgradeStatus passes a user-specified chainId to getIsEip7702UpgradeSupported and getDelegationAddress, which forward it to getEthCode — but the chain ID is discarded. If the requested chain differs from the connected chain, the upgrade status and delegation address will be incorrect.

Additional Locations (1)

• packages/no-modal/src/providers/ethereum-provider/rpc/eip7702Middleware.ts#L38-L62

 

[cursor]

Dummy signature uses 20-byte address instead of 32-byte value

High Severity

Signature.from({ r: zeroAddress(), s: zeroAddress(), yParity: 0 }) will throw at runtime because zeroAddress() returns a 20-byte hex string (0x0000…0000, 40 hex chars), but ethers.js v6 Signature constructor validates that r and s are exactly 32 bytes and rejects shorter values with an "invalid r" assertion error. This makes wallet_upgradeAccount always fail before the transaction is even built. A 32-byte zero value (e.g., "0x" + "00".repeat(32)) is needed instead.