Introducing OpenZeppelin Contracts v4.9
OpenZeppelin Contracts is considered the gold-standard open-source library for secure smart contract development since 2016. As our 75th release and the most heavily tested ever, Contracts v4.9 further empowers Web3 projects to reduce risk and increase productivity through standardized, battle-tested, and community-reviewed code.
Contracts v4.9 is the final release of OpenZeppelin Contracts that will be backward compatible with previous v4.x releases. Next up is Contracts v5.0.
- 4.9 is the most heavily tested release OpenZeppelin has ever shipped.
- Optimism, Base, and Avalanche support for Governor.
- Protection out-of-the-box against inflation attacks on ERC-4626 Tokenized Vaults.
- Improved default AccessControl to better handle the default admin role.
- Enhanced interoperability for signatures in Web3 applications, using eip712Domain().
- Upgrades plugins - fewer false positives scanning for issues in upgradeable proxies.
The Most Secure Contracts Release
In an effort to continue to raise the standard of security across blockchain development, OpenZeppelin ran a battery of tests, and novel security techniques on the latest update to the most-used contracts library. In addition to maintaining test coverage above 99%, OpenZeppelin performed an extensive security audit for all new contracts as part of Contracts v4.9. On suitable contracts, the team also introduced new testing techniques such as formal verification and fuzzing.
Optimism and Avalanche Support for Governor
Governor contracts provide DAOs with a standard for on-chain governance, and previously relied on block numbers to measure passage of time. This worked on Mainnet but not on all rollups and sidechains. Contracts v4.9 adds this more user-friendly time measurement method to make Governor more compatible and extensible, using timestamps to bring support to Optimism, Avalanche, and new chains such as Base.
Protection Against Inflation Attacks
ERC-4626: Tokenized Vaults standardizes the ability to lock tokens into a contract for lending pools and other interest-bearing tokens. Until Contracts v4.9, developers needed to follow documentation to protect against inflation attacks on tokenized vaults. The “offset” approach mentioned in the docs is now included in ERC-4626 by default and enables these abilities from within the code.
Improved Security Practices for AccessControl
To promote security best practices, we have implemented a set of AccessControl admin rules in code, which developers can use out of the box to secure their permissioning setup. The new system ensures that only one account and role can act as admin, with a two-step transfer process to ensure the default admin is never lost. There is also a configurable delay between admin transfers to reduce the risk of contract theft.
Enhanced Interoperability For Signatures in Web3 Applications
Contracts v4.9 is out-of-the-box compliant with EIP-5267, introducing a new function eip712Domain() that exposes EIP-712 domain details to applications. The result makes it easier for modern Web3 applications to interact with smart contracts that use signatures in a generalized and scalable way.
Upgrades Plugins Checks for Upgradeable Proxies
Proxy-based upgrade patterns can lead to errors when it comes to upgrading contracts and maintaining consistent storage layouts. In the worst cases, the results can be catastrophic. Upgrades plugins include checks to ensure proper proxy deployment and protect subsequent upgrades, by ensuring storage layout consistency and guarding against collisions and other issues. Recent changes have reduced the rate of false positives, causing less friction during the development process.
Up Next: Contracts v5.0
The next release of OpenZeppelin Contracts will be v5.0, our first major release since v4.0 in 2021. Later this year, we expect to deliver the leanest, most efficient, and most secure version of OpenZeppelin Contracts yet.
As always, security will remain top of mind, and we will continue to evolve and improve our internal and external testing processes. At the same time, we continue to work especially hard to take maximum advantage of the “major release” opportunity to ship non-backward-compatible upgrades, helping modernize Contracts and the Solidity ecosystem.
How Can I Access The Updates?
Here are a few ways to get involved with the latest improvements to the most-trusted smart contracts libraries:
- Start a new project using OpenZeppelin v4.9! Check out the docs and get started with the Wizard!
- Download the latest NPM package to get started with the most secure version of the contracts library.
- Get involved in the OpenZeppelin developer community and comment on the GitHub repo.
- Join the discussion on the Developer Forum to share your insights, ask questions, and interact with the Contracts team.
- Follow OpenZeppelin on Twitter to stay up to date on the latest improvements, releases, and security best practices.
As OpenZeppelin continues to set the standard for secure blockchain development, we encourage developers and builders to always remain current on the latest smart contracts updates.
Get started using the latest version of OpenZeppelin Contracts v4.9 by installing from npm:
$ npm install @openzeppelin/contracts
Or by visiting the Contracts Wizard.