Skip to content

Instantly share code, notes, and snippets.

@GNSPS
Last active December 11, 2024 21:58
Show Gist options
  • Save GNSPS/ba7b88565c947cfd781d44cf469c2ddb to your computer and use it in GitHub Desktop.
Save GNSPS/ba7b88565c947cfd781d44cf469c2ddb to your computer and use it in GitHub Desktop.
Improved `delegatecall` proxy contract factory (Solidity) [v0.0.5]
/***
* Shoutouts:
*
* Bytecode origin https://www.reddit.com/r/ethereum/comments/6ic49q/any_assembly_programmers_willing_to_write_a/dj5ceuw/
* Modified version of Vitalik's https://www.reddit.com/r/ethereum/comments/6c1jui/delegatecall_forwarders_how_to_save_5098_on/
* Credits to Jorge Izquierdo (@izqui) for coming up with this design here: https://gist.github.com/izqui/7f904443e6d19c1ab52ec7f5ad46b3a8
* Credits to Stefan George (@Georgi87) for inspiration for many of the improvements from Gnosis Safe: https://github.com/gnosis/gnosis-safe-contracts
*
* This version has many improvements over the original @izqui's library like using REVERT instead of THROWing on failed calls.
* It also implements the awesome design pattern for initializing code as seen in Gnosis Safe Factory: https://github.com/gnosis/gnosis-safe-contracts/blob/master/contracts/ProxyFactory.sol
* but unlike this last one it doesn't require that you waste storage on both the proxy and the proxied contracts (v. https://github.com/gnosis/gnosis-safe-contracts/blob/master/contracts/Proxy.sol#L8 & https://github.com/gnosis/gnosis-safe-contracts/blob/master/contracts/GnosisSafe.sol#L14)
*
*
* v0.0.2
* The proxy is now only 60 bytes long in total. Constructor included.
* No functionalities were added. The change was just to make the proxy leaner.
*
* v0.0.3
* Thanks @dacarley for noticing the incorrect check for the subsequent call to the proxy. ๐Ÿ™Œ
* Note: I'm creating a new version of this that doesn't need that one call.
* Will add tests and put this in its own repository soonโ„ข.
*
* v0.0.4
* All the merit in this fix + update of the factory is @dacarley 's. ๐Ÿ™Œ
* Thank you! ๐Ÿ˜„
*
* v0.0.5
* Huge design problem was overwriting the last 9 bytes of you extra "_data" array with zeros! ๐Ÿ˜ฑ
* If you had this deployed please redeploy the updated version.
*
* Potential updates can be found at https://gist.github.com/GNSPS/ba7b88565c947cfd781d44cf469c2ddb
*
***/
pragma solidity 0.4.19;
/* solhint-disable no-inline-assembly, indent, state-visibility, avoid-low-level-calls */
contract ProxyFactory {
event ProxyDeployed(address proxyAddress, address targetAddress);
event ProxiesDeployed(address[] proxyAddresses, address targetAddress);
function createManyProxies(uint256 _count, address _target, bytes _data)
external
{
address[] memory proxyAddresses = new address[](_count);
for (uint256 i = 0; i < _count; ++i) {
proxyAddresses[i] = createProxyImpl(_target, _data);
}
ProxiesDeployed(proxyAddresses, _target);
}
function createProxy(address _target, bytes _data)
external
returns (address proxyContract)
{
proxyContract = createProxyImpl(_target, _data);
ProxyDeployed(proxyContract, _target);
}
function createProxyImpl(address _target, bytes _data)
internal
returns (address proxyContract)
{
assembly {
let contractCode := mload(0x40) // Find empty storage location using "free memory pointer"
mstore(add(contractCode, 0x0b), _target) // Add target address, with a 11 bytes [i.e. 23 - (32 - 20)] offset to later accomodate first part of the bytecode
mstore(sub(contractCode, 0x09), 0x000000000000000000603160008181600b9039f3600080808080368092803773) // First part of the bytecode, shifted left by 9 bytes, overwrites left padding of target address
mstore(add(contractCode, 0x2b), 0x5af43d828181803e808314602f57f35bfd000000000000000000000000000000) // Final part of bytecode, offset by 43 bytes
proxyContract := create(0, contractCode, 60) // total length 60 bytes
if iszero(extcodesize(proxyContract)) {
revert(0, 0)
}
// check if the _data.length > 0 and if it is forward it to the newly created contract
let dataLength := mload(_data)
if iszero(iszero(dataLength)) {
if iszero(call(gas, proxyContract, 0, add(_data, 0x20), dataLength, 0, 0)) {
revert(0, 0)
}
}
}
}
}
/***
*
* PROXY contract (bytecode)
603160008181600b9039f3600080808080368092803773f00df00df00df00df00df00df00df00df00df00d5af43d828181803e808314602f57f35bfd
*
* PROXY contract (opcodes)
0 PUSH1 0x31
2 PUSH1 0x00
4 DUP2
5 DUP2
6 PUSH1 0x0b
8 SWAP1
9 CODECOPY
10 RETURN
11 PUSH1 0x00
13 DUP1
14 DUP1
15 DUP1
16 DUP1
17 CALLDATASIZE
18 DUP1
19 SWAP3
20 DUP1
21 CALLDATACOPY
22 PUSH20 0xf00df00df00df00df00df00df00df00df00df00d
43 GAS
44 DELEGATECALL
45 RETURNDATASIZE
46 DUP3
47 DUP2
48 DUP2
49 DUP1
50 RETURNDATACOPY
51 DUP1
52 DUP4
53 EQ
54 PUSH1 0x2f
56 JUMPI
57 RETURN
58 JUMPDEST
59 REVERT
*
***/
@mo9527
Copy link

mo9527 commented Jun 7, 2018

Can you upload the test code? please

@mohoff
Copy link

mohoff commented Jun 8, 2018

Yea, so my factory contract is as above. The proxy contract:

pragma solidity 0.4.19;

contract Master { 
  uint public test = 9999;

  function init()
      public
  {
      test = 12345;
  }

  function ()
      external
      payable
  {
      revert(); 
  }
}

The deployment and creation of the proxy contract goes well, but then calling init() fails. This is the method I'm running: master.methods.init().send({from: owner, gas: 7000000}) using [email protected] out of the box. The created artifacts are from [email protected] which comes with [email protected] (to match the pragma from this gist).

The result is:

{
  "message": "Method not found",
  "code": -32601
}

This is a corresponding tx: https://rinkeby.etherscan.io/tx/0x4684a6c116d36732687c25fca0f46281449c1d735417864281a8924a0c5b3c17

In case I remove the gas parameter from the send() method above, the output becomes:

Error: Transaction execution error.
Internal("Requires higher than upper limit of 80000000")

Some Github issues claim that's because estimateGas fails.

Any help appreciated :)

@ulcuber
Copy link

ulcuber commented Jun 26, 2018

mstore(sub(contractCode, 0x09)
Seems like it writes 9 bytes of zeros before the free memory location. Is it safety?
I see it like this

/* Memory allocation
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++contractCode
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------------------------------------------------++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------------------------------------------------
----------------------------------------------------------------++++++++++++++++++++++000000000000000000000000f00df00df00df00df00df00df00df00df00df00d
----------------------------------------------000000000000000000603160008181600b9039f3600080808080368092803773
----------------------------------------------------------------++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------5af43d828181803e808314602f57f35bfd000000000000000000000000000000
 */

@GNSPS
Copy link
Author

GNSPS commented Jul 15, 2018

@ulcuber Definitely not safe! ๐Ÿ˜ฑ

Bad design stemming from the proxy functions not being there in the first iteration! If you're sending a data bytes array that is padded to 32 bytes, last 9 bytes will be overwritten!

Maybe this is the problem you're facing @mohoff?

CC @dacarley for awareness

P.S.: Updating the code now.

@GNSPS
Copy link
Author

GNSPS commented Jul 24, 2018

To be clear, the unsafeness of this is just because this contract may be inherited and someone calling the function from within its child may get corrupted memory contents but now that I check closely neither is the free memory pointer being updated at the end so the problem still stands.

The point being that whoever was using this contract as was without inheriting it is totally fine and honestly I'm gonna revert the change since I feel that these functions should instead be considered external.

@rmeissner
Copy link

Was playing around with this for the GnosisSafe and used the following to generate the contractcode without the "unsafeness"

function buildProxyCode(address masterCopy)
        public
        pure
        returns (bytes contractCode)
    {
        contractCode = abi.encodePacked(
            bytes23(0x603160008181600b9039f3600080808080368092803773), 
            masterCopy, 
            bytes17(0x5af43d828181803e808314602f57f35bfd)
        ); 
    }

@benjaminaaron
Copy link

Something happens in that createProxyImpl() function that doesn't let me deploy to Rinkeby via Infura or via my own Geth node. With local Ganache it works though. I am on pragma solidity ^0.5.0. Any idea what I have to change?

@vporton
Copy link

vporton commented Dec 19, 2020

Which function does call(gas, proxyContract, 0, add(_data, 0x20), dataLength, 0, 0) call?

@vporton
Copy link

vporton commented Dec 19, 2020

Excuse me for a stupid question, but is this safe or unsafe to inherit from this contract and call its functions?

@GNSPS
Copy link
Author

GNSPS commented Dec 21, 2020

Which function does call(gas, proxyContract, 0, add(_data, 0x20), dataLength, 0, 0) call?

It calls whatever function you want! ๐Ÿ˜„ Just need to specify the correct function ID as the first 4 bytes of the calldata you pass along! ๐Ÿ‘

@GNSPS
Copy link
Author

GNSPS commented Dec 21, 2020

Excuse me for a stupid question, but is this safe or unsafe to inherit from this contract and call its functions?

Yeah, that should be perfectly OK! ๐Ÿ‘ However, I'd probably deploy this somewhere on mainnet and just call it with an external call from another contract.
That way you prevent bloating the other contract and save some deployment costs. ๐Ÿ˜„ ๐Ÿ‘

@vieyang
Copy link

vieyang commented Jul 9, 2021

And I add a ProxyRouter contract. https://gist.github.com/VieYang/44143dd927c6bd6c09a21672fdc6ebc9

Is there something error? thank you.

@vieyang
Copy link

vieyang commented Jul 9, 2021

about add(_data, 0x20), why add 0x20 for _data?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment