Access controls based on
tx.origin are vulnerable to phishing attacks. The
attacker may convince the user to send a transaction to an attacker's contract.
The attacker's contract may then call the victim's contract with
to the victim's address.
- An attacker may convince
ownerto send a transaction to the attacker's contract.
tx.originwill be set to
owner. Attacker's contract calls
withdrawon the victim's contract, withdrawing the victim's funds.
tx.origin may prevent users using ERC-4337 account abstraction from interacting with a contract.
In this case,
tx.origin will not be set to the address of the user operation sender.
- Users using account abstraction will not be able to deposit funds into the contract.
|Report ERC-4337 account abstraction related issues.