using tx.origin in access control checks #209

joanthecoder · 2025-07-30T03:08:34Z

joanthecoder
Jul 30, 2025

Is using tx.origin in access control checks still considered a security risk in EVM smart contracts? I’m reading old posts saying to avoid it but wanted to confirm if that’s still true today.

Answered by marceontech

Jul 30, 2025

Yes, it's still considered a serious security risk.
Using tx.origin in access control is unsafe because any contract that your user interacts with can trigger your contract, meaning that malicious contracts could trick users into executing actions as if they were authorized.

The correct approach is to use msg.sender, which refers to the direct caller of the function, not the origin of the full transaction.

Best practice: never use tx.origin for authorization logic, this hasn't changed.

View full answer

marceontech · 2025-07-30T03:20:33Z

marceontech
Jul 30, 2025

Yes, it's still considered a serious security risk.
Using tx.origin in access control is unsafe because any contract that your user interacts with can trigger your contract, meaning that malicious contracts could trick users into executing actions as if they were authorized.

The correct approach is to use msg.sender, which refers to the direct caller of the function, not the origin of the full transaction.

Best practice: never use tx.origin for authorization logic, this hasn't changed.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Blockchain Commons, LLC — A “not-for-profit” benefit corporation

using tx.origin in access control checks #209

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Blockchain Commons, LLC — A “not-for-profit” benefit corporation

using tx.origin in access control checks #209

Uh oh!

joanthecoder Jul 30, 2025

Replies: 1 comment

Uh oh!

marceontech Jul 30, 2025

joanthecoder
Jul 30, 2025

marceontech
Jul 30, 2025