15.SWC-115_tx.origin
2023-07-13 15:52:40 # 09.SWC

SWC-115_tx.origin

Authorization through tx.origin

  • Description: tx.origin is a global variable in Solidity which returns the address of the account that sent the transaction. Using the variable for authorization could make a contract vulnerable if an authorized account calls into a malicious contract. A call could be made to the vulnerable contract that passes the authorization check since tx.origin returns the original sender of the transaction which in this case is the authorized account.

  • Remediation: tx.origin should not be used for authorization. Use msg.sender instead.

vulnerability contract:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
pragma solidity 0.4.24;

contract MyContract {

address owner;

function MyContract() public {
owner = msg.sender;
}

function sendTo(address receiver, uint amount) public {
// Use tx.origin to authorize ETH withdrawls
// fixed: require(msg.sender == owner);
require(tx.origin == owner);
receiver.transfer(amount);
}

}
Prev
2023-07-13 15:52:40 # 09.SWC
Next