crytic/slither

Slither claims an upgradeTo function is exposed when it (likely?) is not

Open

#1,136 opened on Mar 19, 2022

View on GitHub
 (9 comments) (0 reactions) (0 assignees)Python (886 forks)batch import
enhancementgood first issue

Repository metrics

Stars
 (4,769 stars)
PR merge metrics
 (Avg merge 54d 9h) (2 merged PRs in 30d)

Description

Describe the issue:

When running Slither on this UUPS upgradeable contract](https://github.com/OpenQDev/OpenQ-Contracts/blob/development/contracts/OpenQ/Implementations/OpenQV0.sol), it triggers the unprotected-upgradeable-contract critical warning as shown below:

However, the latest OpenZeppelin UUPSUpgradeable.sol does indeed protect its upgradeTo method with both onlyProxy, as well as an optional _authorizeUpgrade method which I have onlyOwnered as seen here.

So I believe that only an owner calling via the proxy will be able to call upgradeTo....unless I'm wrong and missing something and Slither is doing its wonderful job 😅.

Code example to reproduce the issue:

git clone https://github.com/OpenQDev/OpenQ-Contracts.git cd OpenQ-Contracts solc-select use 0.8.12 slither . --exclude-dependencies

Version:

slither 0.8.2

Relevant log output:

OpenQV0 (contracts/OpenQ/Implementations/OpenQV0.sol#18-254) is an upgradeable contract that does not protect its initiliaze functions: OpenQV0.initialize(address) (contracts/OpenQ/Implementations/OpenQV0.sol#30-35). Anyone can delete the contract with: UUPSUpgradeable.upgradeTo(address) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#72-75)UUPSUpgradeable.upgradeToAndCall(address,bytes) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#85-88)Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#unprotected-upgradeable-contract

Contributor guide