J_4 onlyEOA modifier [high]

Question

J_4 onlyEOA modifier [high]

usgeeus opened this issue 8 months ago · 2 comments

Configuration

Severity: high
Confidence : high

Lines of Code

https://github.com/tokamak-network/L2-FastWithdraw/blob/aefc050fdaf7c81e1cef3f4a1a5eeea70351b762/contracts/L2/L2FastWithdraw.sol#L194-L196

Description

onlyEOA modifier can be bypassed if an interacting smart contract has the code written inside its constructor.
reference

Recommendation

The recommended way to prevent this is to change the onlyEOA() modifier to use require(msg.sender == tx.origin, ".."). This ensures that only EOA address and not contract address, because tx.origin will always refer to the original sender of the transaction which must be an EOA.

require(msg.sender == tx.origin)

zzooppii commented 8 months ago

aeadfff

Answer 1 · 2024-05-23T02:31:56.000Z

solved closing this issue