Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Unsafe use of `tx.origin` for access control in `GmxProxy::setPerpVault`

anchabadze

Description:

The setPerpVault() function in GmxProxy contract uses tx.origin for access control:

function setPerpVault(address _perpVault, address market) external {
require(tx.origin == owner(), "not owner"); // UNSAFE: uses tx.origin
require(_perpVault != address(0), "zero address");
require(perpVault == address(0), "already set");
perpVault = _perpVault;
gExchangeRouter.setSavedCallbackContract(market, address(this));
}

Using tx.origin for authorization is dangerous as it makes the contract vulnerable to phishing attacks through malicious intermediate contracts, because tx.origin always points to the original sender:

owner -> malicious contract that calls GmxProxy-> GmxProxy::setPerpVault- tx.origin will be owner

If an attacker tricks the owner into interacting with this malicious contract, it could be critical for the protocol.

Impact:

If a phishing attack is successful, the attacker can:

  • Set a malicious perpVault address

  • Potentially gain control over protocol operations

  • Manipulate price validations and keeper operations

Recommended Mitigation:

Use msg.sender instead of tx.origin

Updates

Lead Judging Commences

n0kto Lead Judge 3 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

invalid_tx-origin

Lightchaser: Medium-5

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.