Liquidity Management

Gamma

DeFiFoundry

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

H-1 potential phishing with tx.origin in setPerpVault()

radcipher

Summary

The setPerpVault function in the contract uses the tx.origin check to verify that the original sender (the owner) is making the call. This is a potential security vulnerability as it opens the contract to phishing attacks.:

function setPerpVault(address _perpVault, address market) external {

require(tx.origin == owner(), "not owner"); // @audit msg.sender instead?

require(_perpVault != address(0), "zero address");

require(perpVault == address(0), "already set");

perpVault = _perpVault;

gExchangeRouter.setSavedCallbackContract(market, address(this));

}

Vulnerability Details

The vulnerability arises from the use of tx.origin, which can be exploited by attackers to impersonate the legitimate user. A malicious contract can initiate a transaction on behalf of the user, and because tx.origin would point to the original user address (not the calling contract), the setPerpVault function would incorrectly allow the attacker to change the perpVault address to a malicious address, potentially redirecting critical contract logic or control.

Impact

An attacker can craft a malicious contract that interacts with the vulnerable contract. The malicious contract can trick a user into executing a transaction, and since tx.origin matches the user's address, the attacker can successfully modify critical contract state.

Tools Used

Manual review

Recommendations

Replacing the use of tx.origin with msg.sender. The msg.sender variable refers to the immediate address calling the function, rather than the original transaction sender.

require(msg.sender == owner(), "not owner"); // Use msg.sender for owner verification

Updates

Lead Judging Commences

n0kto Lead Judge 5 months ago

Submission Judgement Published

Invalidated

Reason: Known issue

Assigned finding tags:

invalid_tx-origin

Lightchaser: Medium-5

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

1,910

26 USDC / LOC

High Medium

47,500

Low

2,500

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.