tx.origin vs msg.sender

David Kathoh
2 min readSep 3, 2021

I have been recently playing ethernaut web3/solidity game, on level 4 I wasted a couple of minutes to understand the difference between tx.origin and msg.sender which are in build global variables in solidity.

According to solidity documentation tx.origin holds the address of the sender of the transaction and msg.sender holds the address of the sender of the message. So what does this really mean?

msg.sender: Refers to the address of an account or a smart contract which is directly calling a smart contract’s function.

tx.origin: Refers to the address of an account which is calling a smart contract’s function, only account address can be tx.origin.

A picture is worth a thousand words

As you may notice, both account address and smart contract address can be msg.sender but tx.origin will always be the account/wallet address.

It is highly recommended to always using msg.sender for authorization or for checking the address that is calling a smart contract. And never use tx.origin for authorization, as this could make a contract vulnerable to phishing attacks.

THORChain recently lost $8m, yes 8 millions dollars in an attack due to a misuse of tx.origin, always double check how tx.origin is used in a smart contract, Bye 👋 .

Reference

https://medium.com/@nicolezhu/ethernaut-lvl-4-walkthrough-how-to-abuse-tx-origin-msg-sender-ef37d6751c8

--

--