Inspired by OpenZeppelin's Ethernaut, Telephone Level
There is a contract written as the source code below.
- Claim ownership of the contract.
Hint:
- solhint will give you information where your attention is required.
- Difference between
tx.origin
vsmsg.sender
Never use tx.origin
for authorization. 🤔
What is tx.origin
? and what is the difference with msg.sender
?
See the description in Solidity Doc
tx.origin
- The original user wallet that initiated the transaction
- The origin address of potentially an entire chain of transactions and calls
- Only user wallet addresses can be the
tx.origin
- A contract address can never be the
tx.origin
msg.sender
- The immediate sender of this specific transaction or call
- Both user wallets and smart contracts can be the
msg.sender
Example:
Where tx.origin, msg.sender is observed in the context of the very last node
Tip:
msg.sender
checks where the external function call directly came from.msg.sender
is typically who you want to authenticate. 😄
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.5;
contract Telephone {
address public owner;
constructor() {
owner = msg.sender;
}
function changeOwner(address _owner) public {
if (tx.origin != msg.sender) {
owner = _owner;
}
}
}
Skip if you have already installed.
npm install -g truffle
yarn install
truffle develop
test
You should take ownership of the target contract successfully.
truffle(develop)> test
Using network 'develop'.
Compiling your contracts...
===========================
> Everything is up to date, there is nothing to compile.
Contract: Hacker
√ should change owner (297ms)
1 passing (373ms)