On March 12, 2026, a seemingly mundane bug — using msg.sender in one place and _msgSender() in another — cost DBXen $149K across Ethereum and BNB Chain. The attacker didn't need a flash loan. Didn't need to manipulate an oracle. They just needed the protocol to disagree with itself about who was calling.
This is a post-mortem, a pattern catalog, and a detection guide rolled into one.
The Setup: ERC2771 and Meta-Transactions
ERC2771 is the standard for gasless meta-transactions. A trusted forwarder relays a user's signed transaction, and the receiving contract extracts the real sender from the calldata tail instead of trusting msg.sender (which would be the forwarder's address).
The pattern looks like this:
function _msgSender() internal view override returns (address sender) {
if (isTrustedForwarder(msg.sender)) {
// Extract real sender from last 20 bytes of calldata
assembly {
sender := shr(96, calldataload(sub(calldatasize(), 20)))
}
} else {
return msg.sender;
}
}
When you inherit from ERC2771Context, every function that needs to know "who called me" must use _msgSender() instead of msg.sender. Mix them up, and you get two different answers in the same transaction.
The DBXen Bug: Two Identities, One Transaction
DBXen is a burn-to-earn protocol: users burn XEN tokens and earn DXN rewards proportional to their contribution across staking cycles.
The vulnerability was in the interaction between burnBatch() and the reward settlement logic:
// burnBatch() — correctly uses _msgSender()
function burnBatch(uint256 amount) external {
address user = _msgSender(); // ✅ Correct: gets real user
xenToken.burn(user, amount);
userBurnRecord[user] += amount;
_updateCycleData(user, amount);
}
But the reward claim path referenced msg.sender:
// claimRewards() — incorrectly uses msg.sender
function claimRewards(uint256 cycle) external {
address user = msg.sender; // ❌ Bug: gets forwarder address
uint256 reward = _calculateReward(user, cycle);
// ... settlement logic
}
When a meta-transaction came through the trusted forwarder:
-
burnBatch()credited the real user's burn record -
claimRewards()looked up the forwarder's address — which had no active cycle markers
The attacker exploited this gap: by routing transactions through the forwarder in a specific sequence, they could make a brand-new address appear as if it had been staking for 1,085 cycles, claiming accumulated fee income from the entire history of the protocol.
Result: 65.28 ETH drained + 2,305 DXN tokens minted from thin air.
Why This Bug Class Is Systemic
The DBXen exploit isn't an isolated incident. ERC2771 sender confusion has been a recurring vulnerability:
| Year | Protocol | Loss | Root Cause |
|---|---|---|---|
| 2023 | Multiple (via Thirdweb) | $0 (preemptive) |
_msgSender()/msg.sender mismatch in ERC20/721 |
| 2024 | Socket Gateway | $3.3M | Inconsistent sender in approval flow |
| 2026 | DBXen | $149K | Burn vs. reward path sender mismatch |
The pattern is always the same: one function asks "who are you?" correctly, another asks incorrectly, and the attacker exploits the disagreement.
Detection: How to Catch This Before Deployment
1. Static Analysis with Slither
Slither's msg-sender-in-erc2771 detector flags direct msg.sender usage in contracts that inherit ERC2771Context:
slither . --detect msg-sender-in-erc2771
If your project doesn't trigger this detector, check whether you're using a custom meta-transaction implementation that Slither doesn't recognize. Write a custom detector:
from slither.detectors.abstract_detector import AbstractDetector, DetectorClassification
from slither.core.declarations import Function
class MsgSenderInERC2771(AbstractDetector):
ARGUMENT = "custom-msg-sender-erc2771"
HELP = "Detects msg.sender in ERC2771-aware contracts"
IMPACT = DetectorClassification.HIGH
CONFIDENCE = DetectorClassification.MEDIUM
def _detect(self):
results = []
for contract in self.compilation_unit.contracts:
if not self._is_erc2771_aware(contract):
continue
for function in contract.functions:
if function.name == "_msgSender":
continue
for node in function.nodes:
if self._uses_raw_msg_sender(node):
info = [
function, " uses msg.sender instead of _msgSender()\n"
]
results.append(self.generate_result(info))
return results
2. Semgrep Rules
Write a Semgrep rule to catch the pattern across your codebase:
rules:
- id: erc2771-msg-sender-inconsistency
patterns:
- pattern: msg.sender
- pattern-not-inside: |
function _msgSender() ... { ... }
- pattern-inside: |
contract $C is ... ERC2771Context ... {
...
}
message: "Direct msg.sender usage in ERC2771-aware contract. Use _msgSender() instead."
severity: ERROR
languages: [solidity]
3. Manual Audit Checklist
When reviewing ERC2771-compatible contracts, check every occurrence of:
- [ ]
msg.sender— should it be_msgSender()? - [ ]
msg.data— should it be_msgData()? - [ ] Callback functions invoked by external contracts — do they correctly propagate sender context?
- [ ] Cross-contract calls — does the called contract also support ERC2771?
- [ ] Access control modifiers — do
onlyOwner,onlyRoleetc. use_msgSender()?
4. Fuzzing with Foundry
Write a targeted fuzz test that routes the same action through both direct calls and the trusted forwarder, then asserts identical state changes:
function testFuzz_senderConsistency(uint256 amount) public {
amount = bound(amount, 1, 1e24);
// Direct call
vm.prank(alice);
protocol.burnBatch(amount);
uint256 directRecord = protocol.userBurnRecord(alice);
// Reset
// ...
// Meta-transaction via forwarder
bytes memory data = abi.encodeCall(protocol.burnBatch, (amount));
bytes memory forwardData = abi.encodePacked(data, alice);
vm.prank(address(trustedForwarder));
(bool success,) = address(protocol).call(forwardData);
assertTrue(success);
uint256 metaTxRecord = protocol.userBurnRecord(alice);
assertEq(directRecord, metaTxRecord, "Sender inconsistency detected");
}
The Broader Lesson: Identity Is a Protocol-Wide Invariant
The DBXen exploit teaches a principle that extends beyond ERC2771:
Every function in your protocol must agree on who the caller is.
This applies to:
-
ERC2771 meta-transactions (
_msgSender()vsmsg.sender) -
Account abstraction (ERC-4337) —
msg.senderis the EntryPoint, not the user - Cross-chain messages — the "sender" depends on the bridge's encoding
-
Multicall patterns —
msg.senderinsidedelegatecallmay surprise you
If your protocol has any indirection between "the human who initiated this" and "the address that called this function," you need a consistent identity resolution strategy — and tests that prove it holds across every code path.
Mitigation Template
For teams using ERC2771, here's a minimal safeguard:
abstract contract StrictERC2771Context is ERC2771Context {
/**
* @dev Override to make msg.sender usage a compile-time decision.
* Any function needing the caller MUST use _msgSender().
* Consider adding a linter rule to enforce this.
*/
modifier senderAware() {
// This modifier exists purely as documentation and grep-ability.
// Pair with CI checks that flag msg.sender in non-exempt functions.
_;
}
}
Better yet: use a pre-commit hook or CI step that fails the build if msg.sender appears outside _msgSender() in any ERC2771-inheriting contract.
Timeline
- March 12, 2026 ~14:23 UTC — Exploit transactions detected by BlockSec Phalcon on Ethereum
- March 12, 2026 ~14:41 UTC — Second wave on BNB Chain
- March 12, 2026 ~15:00 UTC — Community alerts circulate
- Total loss: ~$149K (65.28 ETH + 2,305 DXN)
Key Takeaways
-
_msgSender()isn't optional — if you inherit ERC2771Context, every sender reference must go through it - Static analysis catches this — Slither, Semgrep, and custom detectors can flag the pattern automatically
- Fuzz both paths — test that direct calls and meta-transactions produce identical state changes
- Identity is a cross-cutting concern — treat it like access control: audit it everywhere, not just at the entry point
The ERC2771 sender confusion bug class is one of those vulnerabilities that's embarrassingly simple in hindsight but catastrophic in production. The fix is straightforward. The hard part is remembering to check every single function. Automation is your friend here — let the tools do the remembering.
Top comments (0)