slither icon indicating copy to clipboard operation
slither copied to clipboard

Published 20 hours ago verified publisher icon crytic

Whitelist `_disableInitializers` to avoid reporting unprotected-upgradeable-contract

Open 0xmichalis opened this issue 2 years ago • 0 comments

Describe the issue:

OpenZeppelin recently added support for _disableInitializers which helps with disabling implementation initialization when used in the constructor of a contract. Slither should be able to pick that up and avoid reporting https://github.com/crytic/slither/wiki/Detector-Documentation#unprotected-upgradeable-contract.

There may be other cases where users have manually implemented initializer protection, not sure how easy would it be to support them and/or whether Slither already does that and it's only the _disableInitializers support that is missing.

Code example to reproduce the issue:

pragma solidity >=0.8.4;

import '@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol';

contract A is UUPSUpgradeable {

    constructor() {
        _disableInitializers();
    }

    initialize() public virtual initializer { }
}

Version:

0.8.2

Relevant log output:

No response

0xmichalis avatar Jun 13 '22 14:06 0xmichalis