msg.sender

msg.sender is a global variable in Solidity that returns the address of the immediate caller of the current function. It is the standard and recommended way to perform access control checks in smart contracts.

How msg.sender Works

msg.sender changes at each step in a call chain, always reflecting who directly made the current call:

1// Call chain: EOA -> ContractA -> ContractB
2
3// Inside ContractA:
4// msg.sender == EOA
5
6// Inside ContractB:
7// msg.sender == ContractA (not the EOA)

msg.sender for Access Control

msg.sender is the correct way to verify who is calling a function:

1contract Vault {
2    address public owner;
3
4    constructor() {
5        owner = msg.sender; // Deployer becomes owner
6    }
7
8    modifier onlyOwner() {
9        require(msg.sender == owner, "Not owner");
10        _;
11    }
12
13    function withdraw(uint256 amount) external onlyOwner {
14        payable(msg.sender).transfer(amount);
15    }
16}

Unlike tx.origin, msg.sender cannot be spoofed through intermediary contract calls. If a malicious contract calls withdraw, msg.sender will be the malicious contract's address — not the original EOA — so the onlyOwner check correctly reverts.

msg.sender vs tx.origin

Common Patterns Using msg.sender

1// Ownership check
2require(msg.sender == owner, "Not owner");
3
4// Role-based access
5require(hasRole(ADMIN_ROLE, msg.sender), "Not admin");
6
7// Balance tracking
8balances[msg.sender] += msg.value;
9
10// Event logging
11emit Transfer(msg.sender, recipient, amount);

Best Practice

Always use msg.sender — not tx.origin — for authorization and identity checks in smart contracts. This is one of the most fundamental Solidity security patterns.