Phishing attack exploiting tx.origin

If contract A calls B, and B calls C, in C the msg.sender is B and tx.origin is A.

If a contract uses tx.origin to gate access to funds, you can trick the rightful owner into executing a transaction that gives your attack contract access. For example, use a fake NFT free mint website to get them to make the malicious transaction.

Victim

Attacker

Prevention

• Use msg.sender instead of tx.origin