SWC智能合约漏洞库

在线工具推荐: Three.js AI纹理开发包 - YOLO合成数据生成器 - GLTF/GLB在线编辑 - 3D模型格式在线转换 - 可编程3D场景编辑器

SWC-115/利用tx.origin授权

tx.origin是Solidity中的全局变量,它返回发送交易的帐户的地址。 如果授权帐户调用了恶意合约, 则使用该变量进行授权可能会使合约易受攻击。恶意调用可以绕过授权检查,因为tx.origin返回了 交易的原始发送者,在这种情况下,交易的原始发送者是授权帐户而非恶意合约。

CWE漏洞分类

CWE-477:过时功能的使用

整改方案

tx.origin不应用于授权。使用msg.sender代替。

参考文献

示例合约

mycontract.sol

/*
 * @source: https://consensys.github.io/smart-contract-best-practices/recommendations/#avoid-using-txorigin
 * @author: Consensys Diligence  
 * Modified by Gerhard Wagner
 */

pragma solidity 0.4.24;

contract MyContract {

    address owner;

    function MyContract() public {
        owner = msg.sender;
    }

    function sendTo(address receiver, uint amount) public {
        require(tx.origin == owner);
        receiver.transfer(amount);
    }

}

mycontract.yaml

description: Use tx.origin to authorize ETH withdrawls
issues:
- id: SWC-115
  count: 1
  locations:
  - bytecode_offsets:
      '0xb5277138e87869e9e71cf9737221a19a68d46fdb979a6c9b4837100a5ba8eb8f': [204]
    line_numbers:
      mycontract.sol: [18]

mycontract_fixed.sol

/*
 * @source: https://consensys.github.io/smart-contract-best-practices/recommendations/#avoid-using-txorigin
 * @author: Consensys Diligence
 * Modified by Gerhard Wagner
 */

pragma solidity 0.4.25;

contract MyContract {

    address owner;

    function MyContract() public {
        owner = msg.sender;
    }

    function sendTo(address receiver, uint amount) public {
      require(msg.sender == owner);
      receiver.transfer(amount);
    }

}

mycontract_fixed.yaml

description: Use tx.origin to authorize ETH withdrawls
issues:
- id: SWC-115
  count: 0
  locations: []