|
|
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
|
// OpenZeppelin Contracts (last updated v4.8.3) (proxy/transparent/TransparentUpgradeableProxy.sol)
|
|
|
|
|
|
|
|
|
|
pragma solidity ^0.8.0;
|
|
|
|
|
|
|
|
|
|
import "../ERC1967/ERC1967Proxy.sol";
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev Interface for {TransparentUpgradeableProxy}. In order to implement transparency, {TransparentUpgradeableProxy}
|
|
|
|
|
* does not implement this interface directly, and some of its functions are implemented by an internal dispatch
|
|
|
|
|
* mechanism. The compiler is unaware that these functions are implemented by {TransparentUpgradeableProxy} and will not
|
|
|
|
|
* include them in the ABI so this interface must be used to interact with it.
|
|
|
|
|
*/
|
|
|
|
|
interface ITransparentUpgradeableProxy is IERC1967 {
|
|
|
|
|
function admin() external view returns (address);
|
|
|
|
|
|
|
|
|
|
function implementation() external view returns (address);
|
|
|
|
|
|
|
|
|
|
function changeAdmin(address) external;
|
|
|
|
|
|
|
|
|
|
function upgradeTo(address) external;
|
|
|
|
|
|
|
|
|
|
function upgradeToAndCall(address, bytes memory) external payable;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev This contract implements a proxy that is upgradeable by an admin.
|
|
|
|
|
*
|
|
|
|
|
* To avoid https://medium.com/nomic-labs-blog/malicious-backdoors-in-ethereum-proxies-62629adf3357[proxy selector
|
|
|
|
|
* clashing], which can potentially be used in an attack, this contract uses the
|
|
|
|
|
* https://blog.openzeppelin.com/the-transparent-proxy-pattern/[transparent proxy pattern]. This pattern implies two
|
|
|
|
|
* things that go hand in hand:
|
|
|
|
|
*
|
|
|
|
|
* 1. If any account other than the admin calls the proxy, the call will be forwarded to the implementation, even if
|
|
|
|
|
* that call matches one of the admin functions exposed by the proxy itself.
|
|
|
|
|
* 2. If the admin calls the proxy, it can access the admin functions, but its calls will never be forwarded to the
|
|
|
|
|
* implementation. If the admin tries to call a function on the implementation it will fail with an error that says
|
|
|
|
|
* "admin cannot fallback to proxy target".
|
|
|
|
|
*
|
|
|
|
|
* These properties mean that the admin account can only be used for admin actions like upgrading the proxy or changing
|
|
|
|
|
* the admin, so it's best if it's a dedicated account that is not used for anything else. This will avoid headaches due
|
|
|
|
|
* to sudden errors when trying to call a function from the proxy implementation.
|
|
|
|
|
*
|
|
|
|
|
* Our recommendation is for the dedicated account to be an instance of the {ProxyAdmin} contract. If set up this way,
|
|
|
|
|
* you should think of the `ProxyAdmin` instance as the real administrative interface of your proxy.
|
|
|
|
|
*
|
|
|
|
|
* NOTE: The real interface of this proxy is that defined in `ITransparentUpgradeableProxy`. This contract does not
|
|
|
|
|
* inherit from that interface, and instead the admin functions are implicitly implemented using a custom dispatch
|
|
|
|
|
* mechanism in `_fallback`. Consequently, the compiler will not produce an ABI for this contract. This is necessary to
|
|
|
|
|
* fully implement transparency without decoding reverts caused by selector clashes between the proxy and the
|
|
|
|
|
* implementation.
|
|
|
|
|
*
|
|
|
|
|
* WARNING: It is not recommended to extend this contract to add additional external functions. If you do so, the compiler
|
|
|
|
|
* will not check that there are no selector conflicts, due to the note above. A selector clash between any new function
|
|
|
|
|
* and the functions declared in {ITransparentUpgradeableProxy} will be resolved in favor of the new one. This could
|
|
|
|
|
* render the admin operations inaccessible, which could prevent upgradeability. Transparency may also be compromised.
|
|
|
|
|
*/
|
|
|
|
|
contract TransparentUpgradeableProxy is ERC1967Proxy {
|
|
|
|
|
/**
|
|
|
|
|
* @dev Initializes an upgradeable proxy managed by `_admin`, backed by the implementation at `_logic`, and
|
|
|
|
|
* optionally initialized with `_data` as explained in {ERC1967Proxy-constructor}.
|
|
|
|
|
*/
|
|
|
|
|
constructor(address _logic, address admin_, bytes memory _data) payable ERC1967Proxy(_logic, _data) {
|
|
|
|
|
_changeAdmin(admin_);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev Modifier used internally that will delegate the call to the implementation unless the sender is the admin.
|
|
|
|
|
*
|
|
|
|
|
* CAUTION: This modifier is deprecated, as it could cause issues if the modified function has arguments, and the
|
|
|
|
|
* implementation provides a function with the same selector.
|
|
|
|
|
*/
|
|
|
|
|
modifier ifAdmin() {
|
|
|
|
|
if (msg.sender == _getAdmin()) {
|
|
|
|
|
_;
|
|
|
|
|
} else {
|
|
|
|
|
_fallback();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev If caller is the admin process the call internally, otherwise transparently fallback to the proxy behavior
|
|
|
|
|
*/
|
|
|
|
|
function _fallback() internal virtual override {
|
|
|
|
|
if (msg.sender == _getAdmin()) {
|
|
|
|
|
bytes memory ret;
|
|
|
|
|
bytes4 selector = msg.sig;
|
|
|
|
|
if (selector == ITransparentUpgradeableProxy.upgradeTo.selector) {
|
|
|
|
|
ret = _dispatchUpgradeTo();
|
|
|
|
|
} else if (selector == ITransparentUpgradeableProxy.upgradeToAndCall.selector) {
|
|
|
|
|
ret = _dispatchUpgradeToAndCall();
|
|
|
|
|
} else if (selector == ITransparentUpgradeableProxy.changeAdmin.selector) {
|
|
|
|
|
ret = _dispatchChangeAdmin();
|
|
|
|
|
} else if (selector == ITransparentUpgradeableProxy.admin.selector) {
|
|
|
|
|
ret = _dispatchAdmin();
|
|
|
|
|
} else if (selector == ITransparentUpgradeableProxy.implementation.selector) {
|
|
|
|
|
ret = _dispatchImplementation();
|
|
|
|
|
} else {
|
|
|
|
|
revert("TransparentUpgradeableProxy: admin cannot fallback to proxy target");
|
|
|
|
|
}
|
|
|
|
|
assembly {
|
|
|
|
|
return(add(ret, 0x20), mload(ret))
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
super._fallback();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev Returns the current admin.
|
|
|
|
|
*
|
|
|
|
|
* TIP: To get this value clients can read directly from the storage slot shown below (specified by EIP1967) using the
|
|
|
|
|
* https://eth.wiki/json-rpc/API#eth_getstorageat[`eth_getStorageAt`] RPC call.
|
|
|
|
|
* `0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103`
|
|
|
|
|
*/
|
|
|
|
|
function _dispatchAdmin() private returns (bytes memory) {
|
|
|
|
|
_requireZeroValue();
|
|
|
|
|
|
|
|
|
|
address admin = _getAdmin();
|
|
|
|
|
return abi.encode(admin);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev Returns the current implementation.
|
|
|
|
|
*
|
|
|
|
|
* TIP: To get this value clients can read directly from the storage slot shown below (specified by EIP1967) using the
|
|
|
|
|
* https://eth.wiki/json-rpc/API#eth_getstorageat[`eth_getStorageAt`] RPC call.
|
|
|
|
|
* `0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc`
|
|
|
|
|
*/
|
|
|
|
|
function _dispatchImplementation() private returns (bytes memory) {
|
|
|
|
|
_requireZeroValue();
|
|
|
|
|
|
|
|
|
|
address implementation = _implementation();
|
|
|
|
|
return abi.encode(implementation);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev Changes the admin of the proxy.
|
|
|
|
|
*
|
|
|
|
|
* Emits an {AdminChanged} event.
|
|
|
|
|
*/
|
|
|
|
|
function _dispatchChangeAdmin() private returns (bytes memory) {
|
|
|
|
|
_requireZeroValue();
|
|
|
|
|
|
|
|
|
|
address newAdmin = abi.decode(msg.data[4:], (address));
|
|
|
|
|
_changeAdmin(newAdmin);
|
|
|
|
|
|
|
|
|
|
return "";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev Upgrade the implementation of the proxy.
|
|
|
|
|
*/
|
|
|
|
|
function _dispatchUpgradeTo() private returns (bytes memory) {
|
|
|
|
|
_requireZeroValue();
|
|
|
|
|
|
|
|
|
|
address newImplementation = abi.decode(msg.data[4:], (address));
|
|
|
|
|
_upgradeToAndCall(newImplementation, bytes(""), false);
|
|
|
|
|
|
|
|
|
|
return "";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev Upgrade the implementation of the proxy, and then call a function from the new implementation as specified
|
|
|
|
|
* by `data`, which should be an encoded function call. This is useful to initialize new storage variables in the
|
|
|
|
|
* proxied contract.
|
|
|
|
|
*/
|
|
|
|
|
function _dispatchUpgradeToAndCall() private returns (bytes memory) {
|
|
|
|
|
(address newImplementation, bytes memory data) = abi.decode(msg.data[4:], (address, bytes));
|
|
|
|
|
_upgradeToAndCall(newImplementation, data, true);
|
|
|
|
|
|
|
|
|
|
return "";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev Returns the current admin.
|
|
|
|
|
*
|
|
|
|
|
* CAUTION: This function is deprecated. Use {ERC1967Upgrade-_getAdmin} instead.
|
|
|
|
|
*/
|
|
|
|
|
function _admin() internal view virtual returns (address) {
|
|
|
|
|
return _getAdmin();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dev To keep this contract fully transparent, all `ifAdmin` functions must be payable. This helper is here to
|
|
|
|
|
* emulate some proxy functions being non-payable while still allowing value to pass through.
|
|
|
|
|
*/
|
|
|
|
|
function _requireZeroValue() private {
|
|
|
|
|
require(msg.value == 0);
|
|
|
|
|
}
|
|
|
|
|
}
|
