Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

H-#1 Usage of `tx.origin` to determine the owner is prone to attacks

0xmad

Summary : In GmProxy.sol :: function setPerpVault uses tx.origin to determine the owner authorization is prone to attacks.

Vulnerability Details : function setPerpVault in GmProxy.sol uses tx.origin to check the owner ,but this should not be in access control logic. Solidity docs clearly mentions this "Never use tx.origin for authorization",as it is prone to phishing attacks from malicious users. They can create a malicious attack contract to interact with the owner contract and use the interaction to get authorization to the set the PerpVault.

javascript

* @dev This function can only be called once. It requires the perpetual vault address to be non-zero and not already set.
* @param _perpVault The address of the perpetual vault.
*/
function setPerpVault(address _perpVault, address market) external {
require(tx.origin == owner(), "not owner");
require(_perpVault != address(0), "zero address");
require(perpVault == address(0), "already set");
perpVault = _perpVault;
gExchangeRouter.setSavedCallbackContract(market, address(this));
}

Impact : As the PerpVault is main component of the protocol,which has all the funds deposited by users is getting affected. This is a severe issue as all the funds are at risk of getting deposited into a perpvault address that is not set by owner but by the malicious attacker causing the Loss of Funds for the protocol and user,making the protocol to not function.

Tools Used : Manual Review

Recommendations : Use msg.sender instead of tx.origin to determine owner authorization.

* @dev This function can only be called once. It requires the perpetual vault address to be non-zero and not already set.
* @param _perpVault The address of the perpetual vault.
*/
function setPerpVault(address _perpVault, address market) external {
// use msg.sender instead of tx.origin to determine the owner authorization
require(msg.sender == owner(), "not owner");
require(_perpVault != address(0), "zero address");
require(perpVault == address(0), "already set");
perpVault = _perpVault;
gExchangeRouter.setSavedCallbackContract(market, address(this));
}
Updates

Lead Judging Commences

n0kto Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

invalid_tx-origin

Lightchaser: Medium-5

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.