Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch UpgradeableRenounceableProxy to strictly enforce promises #114

Merged
merged 5 commits into from
Nov 28, 2024
Merged

Patch UpgradeableRenounceableProxy to strictly enforce promises #114

merged 5 commits into from
Nov 28, 2024

Conversation

roleengineer
Copy link
Contributor

Refactor _delegate function to prevent modification of admin and implementation slots.

This patch ensures that the proxy-native functions upgradeToAndCall and renounceUpgradeability are exclusive by disallowing any adjustments to the admin and implementation slots during implementation execution. This change enforces strict integrity of these slots, preventing modifications during delegate calls.

@roleengineer roleengineer linked an issue Nov 26, 2024 that may be closed by this pull request
Patch RenounceableProxy to strict enforce promises #113
Closed
@roleengineer roleengineer self-assigned this Nov 26, 2024
@roleengineer
Copy link
Contributor Author

Actually, i start thinking now that ADMIN_INIT immutable lost its meaning and probably should be removed. Let me think a little, probably i'll do one more commit.

@roleengineer
Copy link
Contributor Author

Finally decided to remove ADMIN_INIT, ready for merge.

@benjaminbollen
Copy link
Member

benjaminbollen commented Nov 27, 2024
edited
Loading

some points to explicitly state to have confirmed, as we are now knee-deep into this:

  1. L96-98, just to explicitly confirm: we do want the admin to be able to access the implementation. We could for security be strict and only allow the admin to access the proxy admin functions in _dispatchAdmin() - and revert for unknown signatures. But for our intended use the groupAvatar should also be the one that (if any governance) has the governance on the policy implementation. So I think this is our correct and intended behaviour.

  2. Related to the first point, should we consider re-entrency scenarios in this proxy contract; specifically to the admin functionality? I think all is good; would it be valuable to have for all policies (using this proxy) regardless?

  3. we emit the ERC1967 events in the open zeppelin calls. so that's good!

  4. we could implement a time-delay for upgradeToAndCall functionality, but I think that's over-engineering at this point for our needs. Recommending and guiding people to meaningfully use a SAFE multisig as groupAvatar is imo sufficient for us

  5. ERC1967 lib already checks that upgrading to a new implementation checks that is has codeLength > 0; as a soft sanity check. So that's covered.

This looks very good; if we agree/discuss on point 1. and 2. (which i think we do); this is good to merge!

great work!

benjaminbollen
benjaminbollen approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@benjaminbollen benjaminbollen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@roleengineer
Copy link
Contributor Author

After spending additional time to knee-deep, we concluded that the proxy admin functionality should be protected by a reentrancy guard to prevent potential vulnerabilities.

@roleengineer roleengineer merged commit 366111e into beta Nov 28, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjaminbollen benjaminbollen benjaminbollen approved these changes

Assignees

@roleengineer roleengineer

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Patch RenounceableProxy to strict enforce promises
2 participants
@roleengineer @benjaminbollen