Solidity Attack Vector #2: Tx.Origin for Authentication

tx.origin is a global variable that returns the address that originally sent the transaction.

The Phishing Attack

If a contract uses tx.origin for authentication, an attacker can trick the owner into calling a malicious contract, which then calls the protected contract. The protected contract sees the owner as tx.origin and allows the malicious action.

Defense

Always use msg.sender for authentication.