`tx.origin` Vulnerability is found in `setPerpVault` Function in `PerpVault Contract
Description
The function uses tx.origin for owner verification instead of msg.sender. This is dangerous because tx.origin always points to the original address that started the transaction, not the immediate caller of the function.
Impact
Here are 5 key impacts of this tx.origin vulnerability:
Unauthorized Vault Setup: The attacker can set their malicious vault address, which the actual owner didn't approve.
Permanent Lock-in: Since the vault can only be set once (due to
require(perpVault == address(0)), if an attacker successfully exploits this, there's no way to change it back.Potential Fund Theft: If user funds go through this vault system, an attacker's malicious vault could be used to redirect or steal assets.
Market Manipulation: Through the
gExchangeRouter.setSavedCallbackContract()call, attackers could manipulate market callbacks for trading operations.Protocol Trust Breach: Since this affects core infrastructure setup (vault connections), it undermines the entire protocol's trustworthiness and security.
Tools Used
Manual Review
Recommendations
Replace tx.origin with msg.sender:
Consider adding mitigation suggestions beyond just the msg.sender fix: Using OpenZeppelin's Ownable contract.
This way, only direct calls from the owner will be allowed, making the function secure against phishing attacks.
Lead Judging Commences
invalid_tx-origin
Lightchaser: Medium-5
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.