A place for talking about the Ethereum Virtual Machine on Farcaster.

Help me I had a stupid idea but I cant explain why it's stupid: could tx.origin be used instead of explicit approvals for authorizing token transfers? Like iff you initiate a transaction your tokens are all unlocked

Auditoooor at ChainSecurity
—
EPFL Cybersec MSc.
—
CTF player w/ 0rganizers
—
Hacker & Cypherpunk
—
🌸

This seems pretty dangerous because arbitrary contract calls could drain you.

Whereas rn you need to explicitly approve spenders

For example someone makes an airdrpp contract that gives you free X but also drains u

i think asking for approval at least has widespread wallet support and a straightforward check

i think this greatly increases the attack surface--think about it, you'd have to vet literally the entire callstack of everything you call every single time

- try to claim tokens, boom drained
- try to mint nfts, boom drained
- try to register ens, boom drained

it makes literally every interaction you make potentially adversarial (!!!)

it also doesn't help in a smart contract wallet centric world with paymasters if tx origin isn't the caller

That's true, but there are also phishing techniques inherent to the road we've taken, namely EIP-2612 phishing, increaseAllowance, Permit2, or straight up asking for approval and hoping the user gets confused. In the big picture I think people would get phished either way