Use of Insecure Function

Why is this important?

tx.origin is a global variable in Solidity which returns the address of the account that sent the transaction. Using the variable for authorization could make a contract vulnerable if an authorized account calls into a malicious contract. A call could be made to the vulnerable contract that passes the authorization check since tx.origin returns the original sender of the transaction which in this case is the authorized account.

Avoid Using Insecure Function

Option A: Avoid Use of tx.origin

1. Go through the issues that GuardRails identified in the PR.
2. Identify the code that looks like this:

  pragma solidity 0.4.24;

  contract MyContract {
    address owner;

    function MyContract() public {
      owner = msg.sender;
    }

    function sendTo(address receiver, uint amount) public {
      /* Note that this the insecure use of tx.origin */
      require(tx.origin == owner);
      receiver.transfer(amount);
    }
  }

4. Remove the tx.origin and authorize using msg.sender() instead.
5. Test it
6. Ship it 🚢 and relax 🌴

More information

• Smart Contract Weakness Classification (SWC 115)
• Common Weakness Enumeration (CWE-477)
• Smart Contract Best Practices - Avoid using tx-origin