T1MOH593
commented
2 months ago Escalate
Noticed there were 19 escalations on preliminary valid issues. This is final escalation to make it 20/20 🙂
Open sherlock-admin2 opened 2 months ago
T1MOH593
commented
2 months ago Escalate
Noticed there were 19 escalations on preliminary valid issues. This is final escalation to make it 20/20 🙂
sherlock-admin3
commented
2 months ago Escalate
Noticed there were 19 escalations on preliminary valid issues. This is final escalation to make it 20/20 🙂
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
WangSecurity
commented
2 months ago bruh
WangSecurity
commented
2 months ago Planning to reject the escalation and leave the issue as it is.
WangSecurity
commented
2 months ago Result: Medium Has duplicates
sherlock-admin4
commented
2 months ago
bughuntoor
High
Usage of
tx.originto determine the user is prone to attacksSummary
Usage of
tx.originto determine the user is prone to attacksVulnerability Detail
Within
core.vyto user on whose behalf it is called is fetched by usingtx.origin.This is dangerous, as any time a user calls/ interacts with an unverified contract, or a contract which can change implementation, they're put under risk, as the contract can make a call to
api.vyand act on user's behalf.Usage of
tx.originwould also break compatibility with Account Abstract wallets.Impact
Any time a user calls any contract on the BOB chain, they risk getting their funds lost. Incompatible with AA wallets.
Code Snippet
https://github.com/sherlock-audit/2024-08-velar-artha/blob/main/gl-sherlock/contracts/core.vy#L166
Tool used
Manual Review
Recommendation
Instead of using
tx.originincore.vy, simply passmsg.senderas a parameter fromapi.vy