-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Software Engineering Upgradeability section #244
Conversation
* Update Software Engineering upgradeability section Registry * Update sample to Solidity 0.5.0 * Add address validation "changeBackend" function Relay * Add risks and recommendations regarding the use of delegatecall * Addresses security issues regarding proxies * Add LogicContract sample * Update sample to Solidity 0.5.0 * Add address validation "constructor" and "payable" function
Thanks @fodisi! One of us will review this when we get a chance next week. |
- [How a contract's constructor can affect upgradability](https://blog.openzeppelin.com/towards-frictionless-upgradeability/) | ||
- How the ABI specifies [function selectors](https://solidity.readthedocs.io/en/v0.4.24/abi-spec.html?highlight=signature#function-selector) and how [function-name collision](https://medium.com/nomic-labs-blog/malicious-backdoors-in-ethereum-proxies-62629adf3357) can be used to exploit a contract that uses `delegatecall` | ||
- How `delegatecall` to a non-existent contract will return true even if the called contract does no exist. For more details see [Breaking the proxy pattern](https://blog.trailofbits.com/2018/09/05/contract-upgrade-anti-patterns/) and Solidity docs on [Error handling](https://solidity.readthedocs.io/en/latest/control-structures.html#error-handling-assert-require-revert-and-exceptions). | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I suggest adding this blog post to the resources as well: https://diligence.consensys.net/blog/2019/01/upgradeability-is-a-bug/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shayanb
Thank you for your review. I just committed the changes to add a reference to the blog post provided.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a comment to add Steve's blog post to the end of the page. the rest LGTM.
@shayanb @maurelian Thank you! |
@fodisi thanks for the PR and also reminding us to merge it :) |
Registry
Relay