c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L91

Vulnerability details

Using tx.origin can lead to security vulnerabilities. It's generally safer to use msg.sender for authentication purposes.

constructor(string memory _uri, address _paymentToken) ERC1155(_uri) Ownable() {
    token = IERC20(_paymentToken);

    if (block.chainid == 7700 || block.chainid == 7701) {
// Register CSR on Canto main- and testnet
        Turnstile turnstile = Turnstile(0xEcf044C5B4b867CFda001101c617eCd347095B44);
        turnstile.register(msg.sender);
    }
}

Assessed type

Access Control

c4-pre-sort commented 10 months ago

minhquanym marked the issue as primary issue

c4-pre-sort commented 10 months ago

minhquanym marked the issue as insufficient quality report

minhquanym commented 10 months ago

QA

c4-judge commented 9 months ago

MarioPoneder changed the severity to QA (Quality Assurance)

c4-judge commented 9 months ago

MarioPoneder marked the issue as grade-b

code-423n4 / 2023-11-canto-findings

Use `msg.sender` instead of `tx.origin` #429

Lines of code

Vulnerability details

Assessed type