Known Solidity compiler bugs in current TransparentUpgradeableProxy version

I deployed an upgradeable contract, and the proxy contract for TransparentUpgradeableProxy shows the following warning:

Compiler specific version warnings:

The compiled contract might be susceptible to ABIDecodeTwoDimensionalArrayMemory (very low-severity), KeccakCaching (medium-severity) Solidity Compiler Bugs.

According to the Solidity list of known bugs, these were both fixed in version 0.8.3 and 0.8.4.

When will npm package @openzeppelin/contracts-upgradeable be updated to use the latest version of Solidity?

These bugs do not affect the TransparentUpgradeableProxy contract.

For @openzeppelin/contracts-upgradeable you can use any of the newer versions of the compiler that you want, in your Hardhat or Truffle configuration.

According to the links in my post, the bugs certainly do affect the TransparentUpgradeableProxy contract. The warning on Etherscan is enough to concern users of the contract.

And I’m using version 0.8.4 (as you can see from my implementation contract on Etherscan), but the TransparentUpgradeableProxy contract is not used/compiled in this way. It’s used via the upgradeProxy.

So, regardless, the problem remains until the npm package is updated, and my contract users remain concerned about the Etherscan warning.

What I mean is that while the compiler does have these bugs, the TransparentUpgradeableProxy contract is not affected by them. You should reassure your users that the warnings on Etherscan are general warnings and the contract is not affected.

Isn’t it better for you to just compile with the latest version of Solidity where these bugs are fixed than requiring contract owners to ‘reassure’ their users? How can I even be sure? I’m only relaying your word. But the automatic checks are not opinionated, and it is easy to resolve by simply compiling your contracts with the latest version (takes less time than it took me to write this message).

It’s simple to recompile with a newer version. Not so simple at all to then verify those contracts on the dozen networks that people use. Our verification process needs to be improved.

These are not automatic checks, they’re blanket warnings for any contract compiled with that version. Even if we recompile with latest and you use that, in the future some Solidity bug may be found that adds a new warning to your contract, even if it doesn’t affect it.

You’re right to be skeptical of whether these bugs actually affect this contract. A professional auditor would be able to verify that independently if you need. Unfortunately recompiling and removing the warning is not as trivial as it seems. Sorry that we can’t do that right now. If we talk about it in a few weeks we may have been able to improve the source code verification process so that it’s possible for us to recompile with a new version.