Insecure ownership check using tx.origin in setPerpVault Function
Summary
The setPerpVault function in the GMXProxy contract uses tx.origin for ownership verification. Although the check ensures that the transaction's origin is the owner, relying on tx.origin for access control is considered insecure and an anti-pattern.
Vulnerability Details
The function contains the following line to verify access:
This check only verifies that the originator of the transaction is the owner, regardless of any intermediary contracts involved in the call chain.
Risk:
An attacker can create a malicious intermediary contract that tricks the owner into initiating a transaction. Even though the owner is the tx.origin, the actual caller (msg.sender) could be a malicious contract. This scenario could allow unauthorized execution of the setPerpVault function.
Impact
Unauthorized Access Risk:
If an attacker successfully leverages a phishing attack where the owner inadvertently initiates a transaction through a malicious intermediary, the function could be executed even though the direct caller is not the owner.
Increased Attack Surface:
Using tx.origin makes the contract vulnerable to complex attack vectors via intermediary contracts, leading to potential unauthorized changes in critical protocol parameters.
Tools Used
Manual code review
Static analysis
Recommendations
Use msg.sender for access control:
Replace the tx.origin check with a standard msg.sender check.
Lead Judging Commences
invalid_tx-origin
Lightchaser: Medium-5
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.