Merge pull request #11783 from ethereum/authorized_proxies

Authorized Proxies
This commit is contained in:
chriseth 2021-08-12 16:18:16 +02:00 committed by GitHub
commit 23b16a1e20
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -193,6 +193,39 @@ Note that ``.send()`` does **not** throw an exception if the call stack is
depleted but rather returns ``false`` in that case. The low-level functions
``.call()``, ``.delegatecall()`` and ``.staticcall()`` behave in the same way.
Authorized Proxies
==================
If your contract can act as a proxy, i.e. if it can call arbitrary contracts
with user-supplied data, then the user can essentially assume the identity
of the proxy contract. Even if you have other protective measures in place,
it is best to build your contract system such that the proxy does not have
any permissions (not even for itself). If needed, you can accomplish that
using a second proxy:
.. code-block:: solidity
// SPDX-License-Identifier: GPL-3.0
pragma solidity ^0.8.0;
contract ProxyWithMoreFunctionality {
PermissionlessProxy proxy;
function callOther(address _addr, bytes memory _payload) public
returns (bool, bytes memory) {
return proxy.callOther(_addr, _payload);
}
// Other functions and other functionality
}
// This is the full contract, it has no other functionality and
// requires no privileges to work.
contract PermissionlessProxy {
function callOther(address _addr, bytes memory _payload) public
returns (bool, bytes memory) {
return _addr.call(_payload);
}
}
tx.origin
=========