Submission Details
Impact:
Likelihood:
Dangerous tx.origin Usage in finalizeMint
Root + Impact
The contract uses tx.origin instead of msg.sender in finalizeMint(), allowing phishing attacks through proxy contracts.
Description
-
tx.originreturns the original EOA that initiated the transaction. -
Any dApp or attacker contract can hijack finalization with a proxy mint.
function fulfillRequest(bytes memory response, bytes memory err) external {
...
finalizeMint(tx.origin);
}
Risk
Likelihood:
Users interacting with malicious dApps can have their NFTs minted unknowingly.
Impact:
-
Phishing + unintended NFT minting
-
Undermines access control
Proof of Concept
Called via phishing proxy, contract sees tx.origin as the victim.
// Attacker contract
function proxyFinalize(address nft) public {
// tx.origin is victim, msg.sender is attacker
WeatherNft(nft).fulfillRequest(bytes("đŠī¸"), "");
}
Recommended Mitigation
Replace tx.origin with msg.sender, and pass explicitly controlled mint recipient:
function fulfillRequest(bytes memory response, bytes memory err) external {
...
finalizeMint(msg.sender); // or store the request originator safely
}
â
Rewards breakdown
nSLOC
236This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.