Platform: Code4rena
Start Date: 13/11/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 120
Period: 4 days
Judge: 0xTheC0der
Id: 306
League: ETH
Rank: 86/120
Findings: 1
Award: $4.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: chaduke
Also found by: 0xpiken, Bauchibred, Matin, MohammedRizwan, MrPotatoMagic, OMEN, Pheonix, SandNallani, T1MOH, Topmark, ZanyBonzy, adriro, aslanbek, ayden, bareli, bart1e, bin2chen, btk, cheatc0d3, codynhat, critical-or-high, d3e4, erebus, firmanregar, hunter_w3b, jasonxiale, kaveyjoe, ksk2345, lsaudit, max10afternoon, merlinboii, nailkhalimov, osmanozdemir1, peanuts, pep7siup, pontifex, sbaudh6, shenwilly, sl1, tourist, wisdomn_, young, zhaojie
4.0797 USDC - $4.08
https://github.com/code-423n4/2023-11-canto/blob/main/asD/src/asDFactory.sol#L29
The constructor registers tx.origin in the Turnstile contract. Using tx.origin can be a security risk because it always refers to the original sender of the transaction, not the current contract calling another contract. This can lead to potential attacks where a malicious contract tricks a user into initiating a transaction, and then the malicious contract becomes the tx.origin.
turnstile.register(tx.origin);
Context
#0 - c4-pre-sort
2023-11-20T02:24:10Z
minhquanym marked the issue as duplicate of #429
#1 - c4-judge
2023-11-29T16:01:41Z
MarioPoneder changed the severity to QA (Quality Assurance)
#2 - c4-judge
2023-11-29T21:15:58Z
MarioPoneder marked the issue as grade-b