msg.sender is used here but everywhere else OZ's Context.sol version is being used.
For consistency and to capture changes made to OZ's Context.sol over time, only that version should be used.
From the OZ Context contract:
/**
@dev Provides information about the current execution context, including the
sender of the transaction and its data. While these are generally available
via msg.sender and msg.data, they should not be accessed in such a direct
manner, since when dealing with meta-transactions the account sending and
paying for execution may not be the actual sender (as far as an application
maximebrugel
commented
2 years ago
Handle
ye0lde
Vulnerability details
Impact
msg.sender is used here but everywhere else OZ's Context.sol version is being used. For consistency and to capture changes made to OZ's Context.sol over time, only that version should be used.
From the OZ Context contract: /**
Proof of Concept
https://github.com/code-423n4/2021-11-nested/blob/f646002b692ca5fa3631acfff87dda897541cf41/contracts/operators/ZeroEx/ZeroExOperator.sol#L17
Tools Used
Visual Studio Code, Remix
Recommended Mitigation Steps
Add the "Ownable" import at line 3 Add "Ownable" at line 12 Replace "msg.sender" with "_msgSender()" at line 17.