Remove runtime validation of ERC1967 slots in proxies #3125
Comments
|
Hello @Jaime-Iglesias What do you mean when you say
What would this "validation" look like? Is it checking the content of the slot? Is it recomputing the slot from the "hash(...) -1"? |
|
Also, What do you mean by
What is there to change, that people would forget? |
|
Just to be sure, you understand that two contracts If A writes to slot "x" and B read from the same slot "x", B will NOT be seeing the value stored by A, because each contract is in its own "independent" space. |
|
Hey @Amxx, Thanks for the response,
I mean validating the slot was computed from "hash of ... - 1".
I think my message was not very clear there, apologies. I meant that a malicious actor implementing
Not sure I follow here...In this case Furthermore, to my point - the comments on the code state "validated in the constructor" so I think it's fair to assume implementers of |
This refers to this check here: IMO, the issue you are raising is more related to the code packaging/distribution. Someone able to tamper with the source code of this library could add all sorts of backdoors. If it is possible to change the hardcoded slot value, it would also be possible to remove any security check we add that double-checks the value. |
So, although I can get behind the last statement, then this raises the question - why does So what I'm trying to say is, if the current implementation values performing the validation as stated here Then why delegate said validation to the implementer when that is error-prone (i.e people forgetting) Note that, as I mentioned, I think the validation should be done and should not be delegated to implementing contracts (for the reasons exposed) just want to dig into the reasoning behind how the current implementation works and why. Hope that makes it more clear :D |
How so? We have this check in ERC1967Proxy. It's leftover from the original code before refactoring. If we no longer think this check is necessary then we should remove it from ERC1967Proxy, and I think also from TransparentUpgradeableProxy. I would be ok with removing the check and just hardcoding the constant with a comment explaining what it is. |
|
What I understand is that issue would arise if someone was to modify the slot that is hardcoded in For a check to work, the "attacker" would have to change the hardcoded value in If it was up to me, we would remove the check in |
|
I'm honestly still in favour of performing the check. Even if it's just as an additional security/regression check in case that, for example, a future version of the library accidentally changes one of the hardcoded values. Of course I would perform these checks at the |
|
IMO AFAIK, the only reason for it to be a contract is so that the event's description gets included in the final contract's ABI. Solidity is going to make that irrelevant. |
This is what the test suite is for though! This should be covered by the tests. |
That makes sense. |
frangio
changed the title
Following up on the forum discussion - thx for the answer and the note about abstract contracts and constructors Frangio!
The tl;dr is that I wanted to start a constructive discussion around the current implementation of ERC1967.
Particularly, I feel that not validating the storage slots at the
ERC1967Upgradecontract level and simply delegating the validation on the contracts implementing it can lead to people forgetting about the validation or to people deliberately "forgetting" - to, perhaps, change one of the slots to create a storage clash.I understand this last scenario might be out of the scope of the intention of the library but I also like to think about the library as a place that people can reference to "validate" code they find in the wild so I think the validation could serve as a way to raise awareness about the perils of using unstructured storage.
Looking forward to hearing your thoughts!
The text was updated successfully, but these errors were encountered: