Use of `tx.origin` for authentication

[code423n4]

Handle

shw

Vulnerability details

Impact

The eoaOnly function of Controller checks whether the user is whitelisted using tx.origin. Using tx.origin to authenticate users is generally not a good practice since it can be abused by malicious contracts when whitelisted users are interacting with them. Users have to be very careful to avoid being impersonated when interacting with contracts from other protocols, which could unnecessarily burden users.

Proof of Concept

Referenced code: Controller.sol#L269

Please refer to the following link for more discussion on tx.origin: Solidity issue - Remove tx.origin

Recommended Mitigation Steps

Change tx.origin at line 269 to msg.sender to ensure that the entity calling the Controller is the one allowed.

[kitty-the-kat]

52

[ghoul-sol]

This issue touches on different problem so I'll keep it as stand-alone low risk issue.