msg.sender, but it is vulnerable.
tx.origin, not contract address
tx.originis our Metamask wallet address. When
msg.senderis address of the
TelephoneAttackcontract. This satisfies the
if (tx.origin != msg.sender)check and thus
ownerwill be updated to the
_ownerargument we passed into the
tx.originto determine whose tokens to transfer, e.g.
tx.originwill be the victim's address (while
msg.senderwill be the malicious contract's address), resulting in the funds being transferred from the victim to the attacker.