Reliance on tx.origin can be exploited if owner is a contract or in scenarios with malicious forwarding. This may break multisig flows or allow phishing-based ownership hijacking.

Summary

• The function GmxProxy.setPerpVault has require(tx.origin == owner()) instead of require(msg.sender == owner()).

• Using tx.origin is a known anti-pattern; it can be manipulated by a malicious contract.

Vulnerability Details

• tx.origin is the EOA that initiated the transaction, but if the owner is a contract (like a Gnosis Safe), tx.origin can differ from the actual signing logic.

• Attackers can trick an EOA controlling a Safe to unwittingly forward calls that pass the tx.origin == owner() check, leading to undesired changes.

Impact

• Risk of unauthorized vault assignment if the owner uses a multisig or any contract-based account.

• Could break the assumption of secure ownership transfer, potentially letting an attacker set a rogue vault address.

Tools Used

• Manual code review.

• Common knowledge of tx.origin vulnerabilities.

Recommendations

• Replace require(tx.origin == owner()) with require(msg.sender == owner()).

• Enforce a standard Ownable pattern using msg.sender.

• If you truly need EOA checks, consider alternatives (e.g. EIP-712 signatures).