Hi, looking at the TransparentUpgradableProxy contract which is used to build transparent proxy pattern I see it creates ProxyAdmin contract by default which is used for admin interface towards proxy. My question is, is it possible to enforce timelock for proxy upgrade ? What I thinking is that this Proxy Admin contract to be modified to support this (override upgradeAndCall). But what I see as a problem is that TransparentUpgradableProxy which references ProxyAdmin to create it, is probably built-in OZ upgrades tool so when I do upgrades.deployProxy, tool will use it's version of ProxyAdmin contract when creating proxy and no my which overrides upgradeAndCall (to support timelock). What is the recommended design to support this ?
Yes, from the version 5.x, When using the Transparent Proxy pattern, it will create a new proxyAdmin contract, some discussion about this:
That means that if multiple proxy use the same ProxyAdmin,
then you can separate the ownership.
You may be able to change who owns the ProxyAdmin,
but every proxy that point to it will share the same owner, forever.
That is why we decided to make the
TransparentUpgradeableProxy <> ProxyAdmin a 1-to-1 relationship.
From more details, you can have a look at here: https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4382/files#diff-1d8d60c426f2fc6f21099cb2b4e0350969b4ddead75a055facd251c3f30feb25R75
So if you want to reuse the proxyAdmin contract, maybe you can use the version 4.x
but question was more about timelock. To modify proxy admin so that it supports ….” it can only upgrade after 1 week”
this is not possible?
to give it a context, this would be required to give integirity to contract even if it a proxy, so that it can be modified any time, but after timelock expires. I know this is possible with uups with _authorizeupgrade, is there a way in transparent proxy pattern? But in a way to not break OZ upgrade validation tool.
To summarize, possible options to consider (including the ones discussed above) are:
- use UUPS
- use transparent proxy from OpenZeppelin Contracts 4.x but with a custom proxy admin
- use a custom transparent proxy
2 Likes