Skip to main content

Tx Origin

What it detects

This detector scans for contracts that reference tx.origin when checking permissions or determining behavior. Because tx.origin represents the original external account in a call chain, it is unreliable for authenticating the immediate caller.

Typical symptoms

  • require(tx.origin == owner) or similar statements
  • Contract addresses derived using tx.origin

Solidity snippet (v0.8.25)

pragma solidity ^0.8.25;

contract OriginCheck {
    address public owner;

    function access() external {
        // Unsafe authorization
        require(tx.origin == owner, "forbidden");
    }
}

Why it matters on EVM

Using tx.origin exposes contracts to phishing attacks where a user is tricked into initiating a transaction that indirectly invokes the vulnerable contract.