Restricting initializer and calling _disableInitializers in implementation contract deployed behind deployProxy

tibas · June 6, 2024, 4:03am

When you have an implementation contract deployed behind deployProxy of openzeppelin, is allowed to:

ericglau · June 7, 2024, 3:47pm

Yes, but to prevent frontrunning, the initialize function should be called in the same transaction as the proxy deployment. This occurs by default when you use deployProxy from the Hardhat Upgrades plugin.
_disableInitializers() is recommended. See What does `_disableInitializers();` function mean? for reasoning.

Topic		Replies	Views
Doesn't deployProxy() initialize the implementation contract? Upgrades	11	2218	September 5, 2023
Initializing upgraded contracts Upgrades upgrades	1	809	September 7, 2022
When do constructor and initialize funcs get called? Upgrades	6	1668	October 16, 2023
How to test upgradeability for proxies Upgrades	6	1283	December 2, 2022
Lack of access control during upgradable contracts initialization SDK upgrades	3	1184	April 6, 2020