We've published the release candidate for the next version of OpenZeppelin Contracts. There are a ton of changes and additions!
This begins the Open Review Period for the release, during which we ask the community to review these changes and let us know your feedback. We are of course particularly interested in security issues and we invite everyone to participate in our bug bounty with rewards of up to USD $25,000 and a special POAP for submitting a valid issue. This period will extend for about 3 weeks, until April 22nd.
Take a look at the changelog for the full list, but here are some of our highlights:
CrossChainEnabled: For #L222 we want to make it easy to adopt Layer 2s and other potential scalability solutions. One of our current focus areas is code portability: making it easy to develop code that will be deployed on multiple chains. In this version we include an abstraction that allows a contract to receive messages from another chain, based on Optimism's CrossDomainEnabled contract, and extended for several other chains and bridge protocols: Arbitrum, Polygon, Gnosis Chain, and others.
Governor Parameterized Votes: A powerful new component in our Governor system is the concept of parameterized votes. This mechanism allows votes to include arbitrarily more parameters than the simple "support" value currently available. These parameters could be used for many things, including fractionalized votes or voting with NFTs that don't have vote-tracking built in.
Reinitializers: Initializable has long been a member of the OpenZeppelin family but so far we did not provide any guidance or tooling for dealing with initialization of the new components added to a contract in an upgrade. We've now extended the Initializable contract with the concept of "reinitializer functions". The new reinitializer modifier can be used to decorate initialization functions for upgrades, and they'll be restricted to run only once, in order.
Security improvements: We implemented two mitigations for potential problems pointed out by Certora as part of our engagement to formally verify and audit OpenZeppelin Contracts, both related to the governance contracts. The first was to harden the "onlyGovernance" modifier for schemes where a timelock has multiple proposers, the second was to add a separate canceller role to the TimelockController contract.
This prerelease can by installed with:
npm install @openzeppelin/contracts@next
Or for upgradeable contracts:
npm install @openzeppelin/contracts-upgradeable@next