Describe the issue:
When running Slither on this UUPS upgradeable contract](https://github.com/OpenQDev/OpenQ-Contracts/blob/development/contracts/OpenQ/Implementations/OpenQV0.sol), it triggers the unprotected-upgradeable-contract critical warning as shown below:
However, the latest OpenZeppelin UUPSUpgradeable.sol does indeed protect its upgradeTo method with both onlyProxy, as well as an optional _authorizeUpgrade method which I have onlyOwnered as seen here.
So I believe that only an owner calling via the proxy will be able to call upgradeTo....unless I'm wrong and missing something and Slither is doing its wonderful job 😅.
Code example to reproduce the issue:
git clone https://github.com/OpenQDev/OpenQ-Contracts.git
cd OpenQ-Contracts
solc-select use 0.8.12
slither . --exclude-dependencies
Version:
slither 0.8.2
Relevant log output:
OpenQV0 (contracts/OpenQ/Implementations/OpenQV0.sol#18-254) is an upgradeable contract that does not protect its initiliaze functions: OpenQV0.initialize(address) (contracts/OpenQ/Implementations/OpenQV0.sol#30-35). Anyone can delete the contract with: UUPSUpgradeable.upgradeTo(address) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#72-75)UUPSUpgradeable.upgradeToAndCall(address,bytes) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#85-88)Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#unprotected-upgradeable-contract
Describe the issue:
When running Slither on this UUPS upgradeable contract](https://github.com/OpenQDev/OpenQ-Contracts/blob/development/contracts/OpenQ/Implementations/OpenQV0.sol), it triggers the
unprotected-upgradeable-contractcritical warning as shown below:However, the latest OpenZeppelin UUPSUpgradeable.sol does indeed protect its
upgradeTomethod with bothonlyProxy, as well as an optional_authorizeUpgrademethod which I haveonlyOwneredas seen here.So I believe that only an
ownercalling via theproxywill be able to callupgradeTo....unless I'm wrong and missing something and Slither is doing its wonderful job 😅.Code example to reproduce the issue:
git clone https://github.com/OpenQDev/OpenQ-Contracts.gitcd OpenQ-Contractssolc-select use 0.8.12slither . --exclude-dependenciesVersion:
slither 0.8.2Relevant log output:
OpenQV0 (contracts/OpenQ/Implementations/OpenQV0.sol#18-254) is an upgradeable contract that does not protect its initiliaze functions: OpenQV0.initialize(address) (contracts/OpenQ/Implementations/OpenQV0.sol#30-35). Anyone can delete the contract with: UUPSUpgradeable.upgradeTo(address) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#72-75)UUPSUpgradeable.upgradeToAndCall(address,bytes) (node_modules/@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol#85-88)Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#unprotected-upgradeable-contract