How to test upgradeability for proxies

ericglau · December 2, 2022, 2:19pm

Does this imply having _disableInitializers(); in the constructor is a new standard way or at least recommended way of using UUPSUpgradeable compliant logic contract?

Yes, this is recommended as described in https://docs.openzeppelin.com/contracts/4.x/api/proxy#Initializable

The OZ already fixed the problem by adding onlyProxy modifier to upgrade functions. This means nobody can call upgradeToAndCall on the implementation. What other risks do you see if you leave implementation uninitialized?

You are correct that the previous UUPS vulnerability was fixed by restricting the upgrade functions to onlyProxy, but disabling initializers is still recommended as a best practice to provide an extra layer of protection against these types of attacks.

Topic		Replies	Views
Initializing upgraded contracts Upgrades upgrades	1	729	September 7, 2022
Doesn't deployProxy() initialize the implementation contract? Upgrades	11	2149	September 5, 2023
How to deploy contract without proxies with proxies way Smart Contracts	2	436	April 8, 2022
Upgradeable Contracts - call initialize() after deployment Smart Contracts erc20 , erc721 , proxies	1	408	September 6, 2022
ERC20 Wizard, Upgradeable, Constructor, _disableInitializers() Security	0	776	June 2, 2022

How to test upgradeability for proxies

Related topics