Story
Your finance engineering team built an on-chain escrow system for paying vendor invoices. Treasury signs payouts from a multisig wallet after approval checks.
A security simulation revealed that payouts can be triggered by a malicious contract during a phishing flow, even when treasury never calls releasePayment directly.
System Context
The runnable Hardhat project includes:
contracts/VendorEscrow.solvulnerable payout authorizationcontracts/PhishingRelay.solattacker relay contractscripts/demoPhish.jsphishing simulationcontracts/VendorEscrowSafe.solsecure reference
Expected rule: only the direct treasury caller should execute payout release.
Problem
The payout authorization check relies on transaction origin rather than the direct caller executing the current function frame. In multi-contract call chains, this allows an intermediate contract to act on owner-originated transactions even when owner never called the payout function directly. The result is an authorization bypass through call-chain indirection during phishing-style interaction flows.
Goal
Find the exact vulnerable line in the project code.