Authorization Bypass: tx.origin

A function uses the global variable tx.origin for authorization purposes.

The tx.origin global variable holds the address of the account from where a transaction originates.

If a smart contract, S1, receives a transaction from an account, A1, and then S1 calls another smart contract, S2, then inside S2, tx.origin contains the address of account, A1, used for calling S1. If the intent of tx.origin is to verify authorization of A1, then this authorization is bypassed.

Now, if an attacker can trick a user into sending a transaction into a malicious contract that them invokes the vulnerable contract where the user is authorized via tx.origin, then tx.origin will hold the address of the user account that initiated the transaction and authorization will be bypassed.

Example 1: The following code requires the owner of the contract (previously set in the constructor) to be the same as tx.origin before transferring funds to a provided address.

If an attacker is able to trick the owner of the contract into sending a transaction to a malicious contract which immediately calls the sendTo function in the vulnerable contract, then the condition within the require statement will be true and funds will be transferred to whatever address the attacker contract specified when calling sendTo.

function sendTo(address receiver, uint amount) public {
    require(tx.origin == owner);
    receiver.transfer(amount);
}