⚠️ This is a patch for a low severity vulnerability. For more information visit the security advisory.
Initializable: change the existinginitializermodifier and add a newonlyInitializingmodifier to prevent reentrancy risk. (#3006)
Breaking change
It is no longer possible to call an initializer-protected function from within another initializer function outside the context of a constructor. Projects using OpenZeppelin upgradeable proxies should continue to work as is, since in the common case the initializer is invoked in the constructor directly. If this is not the case for you, the suggested change is to use the new onlyInitializing modifier in the following way:
contract A {
- function initialize() public initializer { ... }
+ function initialize() internal onlyInitializing { ... }
}
contract B is A {
function initialize() public initializer {
A.initialize();
}
}