Slither claims an upgradeTo function is exposed when it (likely?) is not
#1.136 aberto em 19 de mar. de 2022
Métricas do repositório
- Stars
- (4.769 stars)
- Métricas de merge de PR
- (Mesclagem média 54d 9h) (2 fundiu PRs em 30d)
Description
Describe the issue:
When running Slither on this UUPS upgradeable contract](https://github.com/OpenQDev/OpenQ-Contracts/blob/development/contracts/OpenQ/Implementations/OpenQV0.sol), it triggers the unprotected-upgradeable-contract critical warning as shown below:
However, the latest OpenZeppelin UUPSUpgradeable.sol does indeed protect its upgradeTo method with both onlyProxy, as well as an optional _authorizeUpgrade method which I have onlyOwnered as seen here.
So I believe that only an owner calling via the proxy will be able to call upgradeTo....unless I'm wrong and missing something and Slither is doing its wonderful job 😅.
Code example to reproduce the issue:
git clone https://github.com/OpenQDev/OpenQ-Contracts.git
cd OpenQ-Contracts
solc-select use 0.8.12
slither . --exclude-dependencies
Version:
slither 0.8.2
Relevant log output:
OpenQV0 (contracts/OpenQ/Implementations/OpenQV0.sol#18-254) is an upgradeable contract that does not protect its initiliaze functions: OpenQV0.initialize(address) (contracts/OpenQ/Implementations/OpenQV0.sol#30-35). Anyone can delete the contract with: UUPSUpgradeable.upgradeTo(address) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#72-75)UUPSUpgradeable.upgradeToAndCall(address,bytes) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#85-88)Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#unprotected-upgradeable-contract