My original proxy contract and impl contract were written in v4.6.0.
I added a simple setter function and deployed a new implementation contract without adding any variables. However, since I was using Remix, it got deployed with version 5.0.0 at remix. When I used upgradeToAndCall(new_impl_address, "0x")
on a smart contract originally deployed with version 4.6.0, the contract stopped working completely. (all values are 0 and false. Some functions like initialize, setApprovalForAll goes through but if you check out the transaction gas, it is 23000 which means it was not executed properly)
The owner address now shows as 0x, and calling upgradeToAndCall
results in an OwnableUnauthorizedAccount
error. Is there any way to roll back the implementation contract? This is urgent as user funds are locked in the contract.
Found this article.
How this is possible? I mean, you can lose everything.
I need a response from the team.
Please email security@openzeppelin.com and provide all relevant information so that we can help assess the issue. This may include the addresses you are using, what network(s) and the contract code before and after the upgrade.
Is there a way to roll back this situation? The initialize function is also not functioning as expected.
You once said in this article(Problem with UUPS Proxy Upgrade: UUPSUnauthorizedCallContext Error When Using `upgradeToAndCall` in OpenZeppelin 5.0.0 - #6 by ericglau) like this.
The only possible recovery that I can think of might be to call your initialize
function via the proxy to set yourself as the owner in the 5.0.0 storage layout (otherwise the owner is the zero address due to the different storage layouts). Then call upgradeToAndCall
to revert back to the old implementation, which will go back to the 4.x.x storage layout. However, this might not work or cause some fields to be rewritten if your initializer also writes to your own storage.
But calling initialize funcion in this case is not working at all. Can you please guide me to go through this problem. I need your help.
Sorry about your issue. I hope the security@openzeppelin.com could help you. Everything depends on how you used/implemented the initializer and upgrade functions.
A piece of simple advice: Please avoid making changes/calls directly to your contract/proxy on the mainnet, as this could hinder or block potential solutions. It's better to contact the security team. While waiting, you might debug & experiment on a forked copied-version of the mainnet using remix or hardhat https://hardhat.org/hardhat-network/docs/guides/forking-other-networks