Liquidity Management
Gamma
DeFiFoundry
50,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

Critical Security Flaw: tx.origin Misuse Allows Unauthorized Access

manga

One of the most serious security flaws in the GmxProxy contract is the use of tx.origin for access control, specifically in the setPerpVault function:

function setPerpVault(address _perpVault, address market) external {
require(tx.origin == owner(), "not owner");
require(_perpVault != address(0), "zero address");
require(perpVault == address(0), "already set");
perpVault = _perpVault;
gExchangeRouter.setSavedCallbackContract(market, address(this));
}

Using tx.origin for authentication exposes the contract to phishing and proxy contract attacks. Unlike msg.sender, which reflects the immediate caller, tx.origin represents the original externally owned account (EOA) that initiated the transaction. This means that if an owner interacts with a malicious contract that forwards the call to GmxProxy, the tx.origin == owner() check will still pass—even if the immediate caller (msg.sender) is an attacker-controlled contract.

  1. The legitimate owner() is tricked into interacting with a malicious contract.

  2. The malicious contract forwards a call to GmxProxy.setPerpVault(...), passing a manipulated _perpVault address.

  3. Since tx.origin remains the original owner’s address, the access control check require(tx.origin == owner(), "not owner"); erroneously approves the request.

  4. The attacker successfully sets perpVault to their own controlled address, allowing them to manipulate or hijack future transactions involving perpVault, potentially leading to stolen funds or other security breaches.

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Known issue
Assigned finding tags:

invalid_tx-origin

Lightchaser: Medium-5

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!