SWC-115/利用tx.origin授权
tx.origin是Solidity中的全局变量,它返回发送交易的帐户的地址。 如果授权帐户调用了恶意合约, 则使用该变量进行授权可能会使合约易受攻击。恶意调用可以绕过授权检查,因为tx.origin返回了 交易的原始发送者,在这种情况下,交易的原始发送者是授权帐户而非恶意合约。
CWE漏洞分类
整改方案
tx.origin不应用于授权。使用msg.sender代替。
参考文献
示例合约
mycontract.sol
/*
* @source: https://consensys.github.io/smart-contract-best-practices/recommendations/#avoid-using-txorigin
* @author: Consensys Diligence
* Modified by Gerhard Wagner
*/
pragma solidity 0.4.24;
contract MyContract {
address owner;
function MyContract() public {
owner = msg.sender;
}
function sendTo(address receiver, uint amount) public {
require(tx.origin == owner);
receiver.transfer(amount);
}
}
mycontract.yaml
description: Use tx.origin to authorize ETH withdrawls
issues:
- id: SWC-115
count: 1
locations:
- bytecode_offsets:
'0xb5277138e87869e9e71cf9737221a19a68d46fdb979a6c9b4837100a5ba8eb8f': [204]
line_numbers:
mycontract.sol: [18]
mycontract_fixed.sol
/*
* @source: https://consensys.github.io/smart-contract-best-practices/recommendations/#avoid-using-txorigin
* @author: Consensys Diligence
* Modified by Gerhard Wagner
*/
pragma solidity 0.4.25;
contract MyContract {
address owner;
function MyContract() public {
owner = msg.sender;
}
function sendTo(address receiver, uint amount) public {
require(msg.sender == owner);
receiver.transfer(amount);
}
}
mycontract_fixed.yaml
description: Use tx.origin to authorize ETH withdrawls
issues:
- id: SWC-115
count: 0
locations: []