In ERC2771Context _trustedForwarder shouldn't be immutable

mow · August 19, 2023, 8:44am

See:

OpenZeppelin/openzeppelin-contracts/blob/fd81a96f01cc42ef1c9a5399364968d0e07e9e90/contracts/metatx/ERC2771Context.sol#L13


      
          
          pragma solidity ^0.8.9;
          
          import "../utils/Context.sol";
          
          /**
           * @dev Context variant with ERC2771 support.
           */
          abstract contract ERC2771Context is Context {
              /// @custom:oz-upgrades-unsafe-allow state-variable-immutable
              address private immutable _trustedForwarder;
          
              /// @custom:oz-upgrades-unsafe-allow constructor
              constructor(address trustedForwarder) {
                  _trustedForwarder = trustedForwarder;
              }
          
              function isTrustedForwarder(address forwarder) public view virtual returns (bool) {
                  return forwarder == _trustedForwarder;
              }

github.com

OpenZeppelin/openzeppelin-contracts-upgradeable/blob/0a670d08c1364dd91ed50564405ede08f172ef0e/contracts/metatx/ERC2771ContextUpgradeable.sol#L20


      
          * @dev Context variant with ERC2771 support.
          *
          * WARNING: Avoid using this pattern in contracts that rely in a specific calldata length as they'll
          * be affected by any forwarder whose `msg.data` is suffixed with the `from` address according to the ERC2771
          * specification adding the address size in bytes (20) to the calldata size. An example of an unexpected
          * behavior could be an unintended fallback (or another function) invocation while trying to invoke the `receive`
          * function only accessible if `msg.data.length == 0`.
          */
          abstract contract ERC2771ContextUpgradeable is Initializable, ContextUpgradeable {
             /// @custom:oz-upgrades-unsafe-allow state-variable-immutable
             address private immutable _trustedForwarder;
          
             /**
              * @dev Initializes the contract with a trusted forwarder, which will be able to
              * invoke functions on this contract on behalf of other accounts.
              *
              * NOTE: The trusted forwarder can be replaced by overriding {trustedForwarder}.
              */
             /// @custom:oz-upgrades-unsafe-allow constructor
             constructor(address trustedForwarder_) {
                 _trustedForwarder = trustedForwarder_;

whereas in OpenGSN's version _trustedForwarder isn't immutable:

github.com

opengsn/gsn/blob/83f10a9a11f3f9571709f7e528d37503c8e0f136/packages/contracts/src/ERC2771Recipient.sol#L21


      
          *
          * @notice A base contract to be inherited by any contract that want to receive relayed transactions.
          *
          * @notice A subclass must use `_msgSender()` instead of `msg.sender`.
          */
          abstract contract ERC2771Recipient is IERC2771Recipient {
          
             /*
              * Forwarder singleton we accept calls from
              */
             address private _trustedForwarder;
          
             /**
              * :warning: **Warning** :warning: The Forwarder can have a full control over your Recipient. Only trust verified Forwarder.
              * @notice Method is not a required method to allow Recipients to trust multiple Forwarders. Not recommended yet.
              * @return forwarder The address of the Forwarder contract that is being used.
              */
             function getTrustedForwarder() public virtual view returns (address forwarder){
                 return _trustedForwarder;
             }

... and has the function _setTrustedForwarder to update it:

github.com

opengsn/gsn/blob/83f10a9a11f3f9571709f7e528d37503c8e0f136/packages/contracts/src/ERC2771Recipient.sol#L32


      
          
          /**
           * :warning: **Warning** :warning: The Forwarder can have a full control over your Recipient. Only trust verified Forwarder.
           * @notice Method is not a required method to allow Recipients to trust multiple Forwarders. Not recommended yet.
           * @return forwarder The address of the Forwarder contract that is being used.
           */
          function getTrustedForwarder() public virtual view returns (address forwarder){
              return _trustedForwarder;
          }
          
          function _setTrustedForwarder(address _forwarder) internal {
              _trustedForwarder = _forwarder;
          }
          
          /// @inheritdoc IERC2771Recipient
          function isTrustedForwarder(address forwarder) public virtual override view returns(bool) {
              return forwarder == _trustedForwarder;
          }
          
          /// @inheritdoc IERC2771Recipient
          function _msgSender() internal override virtual view returns (address ret) {

I think it'd be better to remove immutable so that we can have a function to set a new trusted forwarder

Why should a trusted forwarder be hardcoded? Like everything else in life, something or someone that was once trusted may one day no longer be trustworthy, so it should be possible to adapt to such changes.

So without immutable , I'd even make a public setTrustedForwarder function in my contract (and secure it with modifier onlyRole(DEFAULT_ADMIN_ROLE)).

mow · August 19, 2023, 8:50am

I noticed in a previous version that _trustedForwarder was not immutable:

github.com

OpenZeppelin/openzeppelin-contracts-upgradeable/blob/1e6ee7262b8d2e4f069c19bc1cc23a476792b579/contracts/metatx/ERC2771ContextUpgradeable.sol#L12


      
          
          pragma solidity ^0.8.0;
          
          import "../utils/ContextUpgradeable.sol";
          import "../proxy/utils/Initializable.sol";
          
          /*
           * @dev Context variant with ERC2771 support.
           */
          abstract contract ERC2771ContextUpgradeable is Initializable, ContextUpgradeable {
              address _trustedForwarder;
          
              function __ERC2771Context_init(address trustedForwarder) internal initializer {
                  __Context_init_unchained();
                  __ERC2771Context_init_unchained(trustedForwarder);
              }
          
              function __ERC2771Context_init_unchained(address trustedForwarder) internal initializer {
                  _trustedForwarder = trustedForwarder;
              }

Instead of flip-flopping just leave it without immutable.

With the many problems that it has caused and may cause in future, minimizing gas cost isn't a good reason to make it immutable.

barakman · August 19, 2023, 5:27pm

First of all, because a setter function would constitute a centralized aspect of the contract.

Second, because a non-immutable requires storage-reading, which increases the gas cost.

You can inherit OZ contract, and override function trustedForwarder() to return your non-immutable variable instead.

frangio · August 24, 2023, 12:31am

Resharing this answer here:

It's exactly as @barakman said. We prioritized reducing the gas overhead, because reading storage is very expensive and the trusted forwarder has to be read for essentially every function call.

mow · August 24, 2023, 5:08am

Making _trustedForwarder immutable means the address of the trusted forwarder is hardcoded at the time of the deployment of the ERC20 token contract. After some years and thousands of people holding and using the token, say that forwarder gets hacked or no longer works for whatever reason, then what would be the outcome with the token being permanently stuck with the address of a defunct forwarder?

SKYBITDev3 · September 3, 2023, 7:15am

If the token contact is upgradeable then upgrade it, setting a new valid value for forwarder address.

If it's not upgradeable then maybe meta transactions woud have to be disabled for the token.

Try to switch to OpenGSN's implementation of ERC-2771, as they probably have more real-world experience with meta transactions than OpenZeppelin. I think making addresses of external entities immutable is not suitable for real-world applications, because external entities can change without your control in the real world.

SKYBITDev3 · September 3, 2023, 7:17am

I think the consequences of not being able to change the address of a forwarder that has become invalid is worse than some higher gas.

SKYBITDev3 · September 3, 2023, 7:27am

It's funny how the variable is called "trusted" forwarder. In an ideal world, it'd be OK to make the address of a forwarder that is forever-trustworthy immutable.

But in the real world, most things cannot or should not be "forever-trustworthy". So the variable should just be called "forwarder" instead of "trustedForwarder", and the value should be updateable at any time in the future by the contract admin (which would be more trustworthy than an external entity).

SKYBITDev3 · December 9, 2023, 6:03pm

@frangio, in light of the vulnerabilities discovered recently as described in Arbitrary Address Spoofing Attack: ERC2771Context Multicall Public Disclosure published 3d ago, please remove immutable as proposed by @mow in August.

I've created a new issue for it at https://github.com/OpenZeppelin/openzeppelin-contracts/issues/4791

Topic		Replies	Views
How can I call ERC2771ContextUpgradeable's constructor? Upgrades	3	545	November 29, 2022
Why ERC2771ContextUpgradeable has a constructor? Smart Contracts	1	972	February 15, 2022
Trying to create an upgradeable contract with metatx capabilities General	1	453	November 1, 2022
Not all upgradeable contracts are following the initializer convention? Upgrades	6	1328	April 24, 2023
How to inherit ERC2771ContextUpgradeable? Upgrades	7	1461	December 9, 2022

In ERC2771Context _trustedForwarder shouldn't be immutable

Related Topics