Lack of _msgSender() Usage in `StarklaneEscrow` Contract
Vulnerability Details
The StarklaneEscrow contract inherits from the Context contract but does not utilize the _msgSender() function provided by Context to determine the actual sender of the transaction. Instead, it directly uses msg.sender to identify the user interacting with the contract.
The use of _msgSender() is crucial in scenarios where meta-transactions are involved. Meta-transactions allow users to interact with the blockchain without directly sending transactions, usually through a relayer. In such cases, the original sender of the transaction (i.e., the user) may differ from msg.sender (which would be the relayer). The Context contract provides _msgSender() to correctly identify the original sender even when a relayer is involved.
Impact
By not using _msgSender(), the StarklaneEscrow contract may fail to correctly recognize the actual sender in scenarios involving meta-transactions. This could lead to security issues, as the contract might incorrectly attribute ownership of actions, leading to unauthorized token deposits and withdrawals.
Tools Used
Manual review
Recommendations
Replace all instances of msg.sender with _msgSender() to ensure that the contract correctly identifies the original sender, particularly in scenarios involving meta-transactions.
Lead Judging Commences
Informational / Gas
Please, do not suppose impacts, think about the real impact of the bug and check the CodeHawks documentation to confirm: https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity A PoC always helps to understand the real impact possible.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.