Skip to content

msg.sender != tx.origin check in __activateTstore() is no longer safe after EIP-7702 #5

New issue
New issue
Open
#7
Open
msg.sender != tx.origin check in __activateTstore() is no longer safe after EIP-7702#5
#7
@MiloTruck

Description

@MiloTruck
MiloTruck
opened on Mar 3, 2025

__activateTstore() has the following check to avoid re-entrancy issues:

// Ensure this function is triggered from an externally-owned account.
if (msg.sender != tx.origin) {
    revert OnlyDirectCalls();
}

I believe this check is no longer safe once EIP-7702 goes live, since it becomes possible for an EOA to contain code. An EOA can call its own address, which then calls __activateTstore().

It would be safer to ensure the caller has no code instead (i.e. msg.sender.code.length == 0).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions