Upgradeable contracts: Best practice around using `onlyProxy`

I'm curious what the general recommendation is around using onlyProxy to protect direct calls to the implementation contract.

It is my understanding that the only way the implementation contract could interfere with the proxy is via some combination of selfdestruct, delegatecall and callcode. So it seems as long as a function never executes any of these instructions, there is no way it can influence the proxy, and the onlyProxy modifier is not needed.

In conclusion, would you consider the following rule to be secure?

Use onlyProxy for any function of the implementation contract that may execute selfdestruct, delegatecall or callcode. Otherwise, onlyProxy is not needed.


1 Like