Restricting initializer and calling _disableInitializers in implementation contract deployed behind deployProxy

tibas · June 6, 2024, 4:03am

When you have an implementation contract deployed behind deployProxy of openzeppelin, is allowed to:

ericglau · June 7, 2024, 3:47pm

Yes, but to prevent frontrunning, the initialize function should be called in the same transaction as the proxy deployment. This occurs by default when you use deployProxy from the Hardhat Upgrades plugin.
_disableInitializers() is recommended. See What does `_disableInitializers();` function mean? for reasoning.

Topic		Replies	Views
Doesn't deployProxy() initialize the implementation contract? Upgrades	11	2163	September 5, 2023
Lack of access control during upgradable contracts initialization SDK upgrades	3	1172	April 6, 2020
ERC20 Wizard, Upgradeable, Constructor, _disableInitializers() Security	0	776	June 2, 2022
Does the upgradeable deployment call initialize function in a separate or single transaction? Upgrades	3	801	April 4, 2022
Openzeppelin initializer for my functions Upgrades proxies	1	607	December 8, 2021