Slither unprotected-upgradeable-contract detector

Hi everyone,

I've been using the Openzeppelin contracts upgradeable in my project and today I decided to run the slither tool to check how is it going. Well ... apparently it isn't very good. But I can't understand where is the real problem (or if it's a false positive), so I'm in need of your help.

The detector says:

CalculatorUpgradeable (contracts/Calculator.sol#13-59) is an upgradeable contract that does not protect its initiliaze functions: CalculatorUpgradeable.initialize() (contracts/Calculator.sol#31-33). Anyone can delete the contract with: UUPSUpgradeable.upgradeTo(address) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#72-75)UUPSUpgradeable.upgradeToAndCall(address,bytes) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#85-88)

What does it mean by "does not protect its initiliaze functions"? The initialize function has the onlyOwner modifier.

On the documentation, it recommends to add a constructor to ensure "initialize" cannot be called on the logic contract. Sorry but I didn't get the idea :frowning:

Here is the code of the contract caught by this detector:

// SPDX-License-Identifier: MIT
pragma solidity >=0.4.22 <0.9.0;

import "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";

contract CalculatorUpgradeable is Initializable,  OwnableUpgradeable,  UUPSUpgradeable {

    function initialize() external initializer onlyOwner {

    function calcPercentage(uint256 amount, uint256 percentage)
        returns (uint256)
        return (amount * percentage * 100) / 10000;

    function _authorizeUpgrade(address newImplementation)

Thanks a lot for any clarification,

Based on this it seems to be a false positive