Security and stability of Upgradeable ERC20?

Support Upgrades
,
#1

Hi,
I’m new to Upgrades plugin.
I’ve successfully deployed a test ERC20 contract to testnet. I’m planning to deploy in production, but I have some questions.

  1. Is there any large/popular token those are using upgrades plugin? I’m worry about security/stability.
  2. Gas fee: any increase?
  3. Etherscan source code submit: my deployed contract on testnet is automatically verified and I can’t re-submit the code. I don’t know can I re-submit on Etherscan mainnet?
  4. Any downsides, disadvantages of upgrades plugin?

Thank so much!

1 Like
#2

Emmm, I think the stablecoin USDC, aToken of the AAVE, cToken of the Compound, they all use the proxy pattern. However, there are some differences between them.

Emmmm, I am not sure, but I think yes, cause you need to call an extra opcode delegatecall, what do you think of it? @abcoathup If I am wrong, please correct me.

I think you can connect to the devs of the Etherscan to confirm that, I never do it before.

You can add new feature by upgrading the contract, but do not change the order of the storage variables.

1 Like
#3

Hi @Hiep_Tran,

Welcome to the community :wave:

Just to add to @Skyge’s excellent answers (thanks as always @Skyge :pray:)

I recommend reading how USDC did their upgrade: https://blog.coinbase.com/usdc-v2-upgrading-a-multi-billion-dollar-erc-20-token-b57cd9437096

Also the current state of upgrades

Yes there is a gas fee overhead using a proxy. I recommend testing this yourself on a public testnet to see the difference.

Please note this condition: OpenZeppelin upgradeable contracts affected by Istanbul hardfork

The proxy and the ProxyAdmin contracts should be already verified, your implementation contract won’t be verified.

Etherscan supports proxy contracts.

I wasn’t sure what you meant?

Aside from a gas overhead, you have an administrator account that you need to keep secure and your community need to trust the management of.

See: https://docs.openzeppelin.com/learn/preparing-for-mainnet#set-admin

You may want to use a multi-sig such as Gnosis Safe and use OpenZeppelin Defender to administer (see: https://docs.openzeppelin.com/defender/admin).

#4

Thank so much! Very detail answer of yours.
I used Openzepplin upgrades plugin and succesfully deployed to etherscan: https://ropsten.etherscan.io/address/0x4E416Ff2DCAd0597036beAeF058E086b158d3391#code

I feel not confident enough because this is the first contract I use this proxy thing. And looking back there was a ton of hack around me makes me afraid.
Is there any audit service that I could use or hire?

1 Like
#5

Hi @Hiep_Tran,

Your token looks fairly similar to the ERC20 preset. The main difference is that you have added a deny list. As an aside I would look to call it a deny list or a block list.

I would suggest appropriate testing, both unit tests of the implementation contract and higher level testing via the proxy. Especially your deny list, to ensure that the behavior is as intended e.g. preventing minting, transfers and pausing to/from an address on the deny list.

I also recommend looking at using a multi-sig to control upgrades, minting and the deny list. Ideally you would have multi-sigs for each purpose. (Resources: Multi-signature wallet resources)

You may also want to consider using OpenZeppelin Defender for administration. See the following example: Manage an ERC20 token using Defender Admin and Gnosis Safe

I recommend doing more deployments, upgrades and tests to get more experience with upgradeable contracts.

As for an audit, you can request one from the OpenZeppelin team using the following form: https://openzeppelin.com/request/

#6

I submitted an audit request but they replied in the email said fully booked, and told me to wait till the end of Q2.
Is there another service can I use? Including the service charges fee for audit.

1 Like
#7

Hi @Hiep_Tran,

If you need an audit sooner, you could look at projects that you respect and see who they used as auditors and check their availability.