Smart Contract / Authorization through Tx.origin

Description

Authorization through tx.origin is an IT vulnerability in the category of Smart Contract, which occurs in the Solidity programming language (SWC). This vulnerability allows an attacker to bypass authorization checks as the tx.origin parameter appears to be trusted by the Smart Contract. According to the Common Weakness Enumeration (CWE) directory, this vulnerability is listed as CWE-890: Authentication Bypass by Spoofing. The Open Web Application Security Project (OWASP) Testing Guide category for this vulnerability is A3: Broken Authentication and Session Management.

Risk

This vulnerability is considered a high risk, as it allows an attacker to bypass authorization checks and access the code of a Smart Contract. This can lead to an attacker being able to modify the code of a Smart Contract, resulting in a potential financial loss.

Solution

The best solution to this vulnerability is to use an authorization mechanism that is not dependent on the tx.origin parameter. Instead, authorization should be performed using a more secure parameter such as msg.sender. This will ensure that the authorization checks are performed using a more secure parameter, reducing the risk of an attack.

Example

The following code is an example of a vulnerable Smart Contract that uses the tx.origin parameter for authorization checks.

contract VulnerableContract {
    // This is a vulnerable contract that uses the tx.origin parameter for authorization checks.
    function vulnerableFunction() {
        if (tx.origin == msg.sender) {
            // Perform some action.
        }
    }
}