Full Smart Contract Upgradeability Discussion

#1

Welcome to the discussion thread about this lecture section. Here you can feel free to discuss the topic at hand and ask questions.

#2

I just started this section and watched the “What was wrong with our simple Proxy?” video and I’m wondering if you can do mappings of mappings? In other words the question in my mind that I suspect may be answered eventually is how to handle adding an accounts in a contract upgrade.

#3

Yes you can do mapping to mapping. Not a problem.

#4

Sweet.

In lecture https://ivanontech.teachable.com/courses/541331/lectures/10064285 you mentioned near the end of the video that you would include a link to understand the low level assembly better. I’m not sure where to find the link.

#5

Sorry about that. I will update the lecture, here is the link: https://solidity.readthedocs.io/en/v0.5.2/assembly.html

#6

@filip, it would be nice to have the demo code running within in the truffle unit test. At least, it’s worth having mention that truffle migration scripts are not the best place for the demo code (querying the dogs count, console logging, etc.)

** in my opinion, of course

1 Like
#7

@filip, one more question. I came across some articles about the “selector clash” (selector collision) vulnerability.

It would be nice to have

  1. Some coverage of this attack in the course
  2. Some explanation (maybe here as a reply) on “Can the proxy contract showcased in this course be exploited by the selector clash”.
    (Unfortunately, I still need some help figuring this out. I’ll let you know if I get any insights, though).

UPD

– If the caller is the admin of the proxy, the proxy will not delegate any calls, and will only answer management messages it understands.
– If the caller is any other address, the proxy will always delegate the call, no matter if it matches one of the proxy’s own functions.

Seems like this is the recommendation to avoid the “selector clash” exploits.

1 Like
#8

P.S. Thanks for great content, @filip, @ivan . I’m really enjoying this security course. You’ve found a right balance for it being not too complicated and giving a good structure to student’s prior knowledge (if any).

1 Like
#9

Thank you very much for your feedback and your kind words about the course. We are happy to hear that you enjoyed it.

About the migration vs test. Yes, I agree with you. But I didn’t want to introduce a new layer of complexity, the testing suite of truffle, in this course. There will be a truffle testing course coming later this year.

Thanks for sending that Fascinating attack angle indeed, there are so many weird loopholes and exploits in smart contracts that we have to be aware of.

I could definitely update the course in the future with that in mind. Seems like it’s more of an exploit that can be carried out by a malicious contract creator rather than anyone just calling our functions. So the owner could potentially hide functionality behind weird function names. But it’s not something that makes our proxy contracts potential targets.

I see that you already found the solution to avoid the selector clash, great!