The protocol uses `_msgSender()` in some places, but not everywhere
Summary
The code is using OpenZeppelin's Context contract which is intended to allow meta-transactions. It works by doing a call to _msgSender() instead of querying msg.sender directly, because the method allows those special transactions. The problem is that the executeMetaTransaction function in NativeMetaTransaction.sol and initialize function in MembershipERC1155.sol use msg.sender directly instead of _msgSender(), which breaks this intent and will not allow meta-transactions at all in the methods that have those functions, which are one of the important ones in the those aforementioned contracts.
Vulnerability Details
Important Lines of code for reference purposes
Places where Function _msgSender() were used;
Then for Function msg.sender;
Impact
Impact:
Low, because protocol will still function normally, but an expectedly desired types of transactions won't work
Likelihood:
High, because it is certain that he issue will occur as code is
Tools Used
Manual Review
Recommendations
Change the code in the executeMetaTransaction and initialize functions to use _msgSender() instead of msg.sender.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.