Should ReentrancyGuard be always initialized in an upgradable contract? Will the protection work when not initialized?

Sol_Ch · February 12, 2025, 9:54am

Hello. Is reentancy attack possible if ReentrancyGuardUpgradeable is inherited in a contract but not intialized through including __ReentrancyGuard_init() into initialize()?

Skyge · February 13, 2025, 12:19am

Hi, welcome to the community!

Generally, it is recommend to do this in your initialize(). And which version do you use?

Sol_Ch · February 13, 2025, 10:09am

Thank you. I use @openzeppelin/contracts-upgradeable@5.1.0
But without initializing it, reentrancy protection still works, right?

Skyge · February 13, 2025, 2:30pm

If you use 0.5.x, I think you should call __ReentrancyGuard_init() explicitly, cause after 0.5.x, OpenZeppelin uses ERC-7201, that is namespaces storage layout, it will group storage variables together, so should call the function to initialize some value.
And you can check the value of this variable or make a test.

agreenberg · February 13, 2025, 5:04pm

Initializing ReentrancyGuardUpgradeable is preferred but not mandatory and reentrancy protection will still work.

Note: you must ensure that initializers are disabled if not explicitly calling them. This can be done by calling _disableInitializers.

Skyge · February 14, 2025, 12:46am

Ohhhh, sorry for misleading you, I am wrong, as agreenberg said above, it is ok if you do not call __ReentrancyGuard_init(), the code is:

github.com/OpenZeppelin/openzeppelin-contracts-upgradeable

contracts/utils/ReentrancyGuardUpgradeable.sol

master


      
          function _nonReentrantBefore() private {
              ReentrancyGuardStorage storage $ = _getReentrancyGuardStorage();
              // On the first call to nonReentrant, _status will be NOT_ENTERED
              if ($._status == ENTERED) {
                  revert ReentrancyGuardReentrantCall();
              }
          
              // Any calls to nonReentrant after this point will fail
              $._status = ENTERED;
          }

The key is before reentrancy, the value can not be
ENTERED(2 at here), so it does not matter if the value is 0(do not call __ReentrancyGuard_init()) or 1(call __ReentrancyGuard_init()).
Sorry again for misleading you.
Always write tests to verify your guesses.

Sol_Ch · February 14, 2025, 8:47am

@agreenberg @Skyge Thank you!

Topic		Replies	Views
Reinitializer() works even with _disableInitializer() in constructor? Smart Contracts proxies , upgrades , solidity	4	34	February 12, 2025
Is it mandatory to call __Pausable_init or any init functions within upgradable contracts? What happens if you dont? Upgrades proxies	1	274	May 21, 2024
Clarification Regarding __{ContractName}_init_unchained Function Upgrades	2	605	July 20, 2021
Should __Ownable_init() be called in the constructor of an OwnableUpgradeable implementation contract Smart Contracts	3	1544	December 13, 2021
Do I need to reinitialize inherited contracts again when upgrading? Upgrades	1	1381	August 8, 2022

Should ReentrancyGuard be always initialized in an upgradable contract? Will the protection work when not initialized?

Related topics