Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reinitializers call _upgrade function which is marked as onlyInitializing #496

Open
JorgeAtPaladin opened this issue Jul 15, 2024 · 2 comments
Open

reinitializers call _upgrade function which is marked as onlyInitializing #496

JorgeAtPaladin opened this issue Jul 15, 2024 · 2 comments
Assignees
@rapidddenis
Labels
info review
Milestone
GIF v3

Comments

@JorgeAtPaladin
Copy link

gif-next/contracts/upgradeability/Versionable.sol

Line 34 in 6319a56

_upgrade(data);

Seems like this flow is validating that the initializing is occuring twice. Looking at current OZ's implementation that's not a big deal as reinitizaling modifier sets initializing to true again, but I was concerned that this would revert. It might make sense to have the safeguard on the modifiers/outer facing functions and have the inner one without a check. Otherwise leaving this unchanged is fine as well.
@marcoatpaladin marcoatpaladin changed the title INFO: reinitializers call _upgrade function which is marked as onlyInitializing reinitializers call _upgrade function which is marked as onlyInitializing Jul 15, 2024
@doerfli doerfli added this to the GIF v3 Audit Ready milestone Jul 15, 2024
@doerfli doerfli added the review label Jul 17, 2024
@rapidddenis
Copy link
Collaborator

rapidddenis commented Jul 19, 2024
edited
Loading

The reason why _upgrade() have onlyInitializing() modifier is from OZ's Initializable.sol:

/**
 * @dev Modifier to protect an initialization function so that it can only be invoked by functions with the
 * {initializer} and {reinitializer} modifiers, directly or indirectly.
 */
modifier onlyInitializing() {
    _checkInitializing();
    _;
}

@rapidddenis
Copy link
Collaborator

rapidddenis commented Jul 19, 2024
edited
Loading

  1. initializeVersionable() is missing comment for initialization in same tx, right after deployment (the way ProxyManager uses versionables) and/or access restriction

    gif-next/contracts/upgradeability/Versionable.sol

    Line 23 in 6319a56

    initializer

  2. upgradeVersionable() is missing access restriction (must be restricted to deployer)

    gif-next/contracts/upgradeability/Versionable.sol

    Line 32 in 6319a56

    reinitializer(VersionLib.toUint64(getVersion()))

  3. _initialize() implementations are using initializer() instead of onlyInitializing(). It works because called _initialize() is called in constructor.

    gif-next/contracts/instance/InstanceService.sol

    Line 426 in b7eedf9

    initializer()

@doerfli doerfli modified the milestones: GIF v3 Audit Ready, GIF v3 Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rapidddenis rapidddenis

Labels
info review
Projects
None yet
Milestone
GIF v3
Development

No branches or pull requests
4 participants
@doerfli @rapidddenis @JorgeAtPaladin @marcoatpaladin