When verifying upgradeable contract: "Bytecode does not match with the current version of ERC1967Proxy in the Hardhat Upgrades plugin"

[SKYBITDev3]

I deployed an ERC1967Proxy proxy contract and implementation without using hardhat-upgrades.
Then I tried to verify the contracts using await run("verify:verify", { address, constructorArguments }), but got the above error.

I noticed that the artifact ERC1967Proxy is obtained from @openzeppelin/upgrades-core:

openzeppelin-upgrades/packages/plugin-hardhat/src/verify-proxy.ts

Line 17 in a41b431

import ERC1967Proxy from '@openzeppelin/upgrades-core/artifacts/@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol/ERC1967Proxy.json';

If I use that version then Etherscan shows a warning when viewing ERC1967Proxys source code:

The compiled contract might be susceptible to FullInlinerNonExpressionSplitArgumentEvaluationOrder (low-severity), MissingSideEffectsOnSelectorAccess (low-severity), AbiReencodingHeadOverflowWithStaticArrayCleanup (medium-severity), DirtyBytesArrayToStorage (low-severity), DataLocationChangeInInternalOverride (very low-severity), NestedCalldataArrayAbiReencodingSizeValidation (very low-severity) Solidity Compiler Bugs.

The contract was compiled with solidity v0.8.9+commit.e5eed63a, which would be the reason for the warnings and bytcode mismatch. I use the latest version of solidity (0.8.21).

Please fix this issue. Thank you.

[ericglau]

The Hardhat Upgrades plugin can only verify proxy source code for proxies that were deployed by the plugin. This is because verification requires the exact compiler settings which were used to compile the proxy, and those compiler settings (along with the source code) are provided by the plugin during Etherscan verification to match the proxy bytecode that it deployed.

If you deploy proxy contracts without using the plugin, you would need to verify them manually.

However, generally there is no need to deploy newer versions of the proxy contracts than the ones provided by the plugin. We don't believe that any of the above compiler bugs affect the proxies. If compiler bugs or other vulnerabilities are discovered to affect the proxy contracts, we would publish a security advisory for OpenZeppelin Contracts https://github.com/OpenZeppelin/openzeppelin-contracts/security/advisories and would update the plugin to use the newer proxies as needed.

[SKYBITDev3]

The latest release of @openzeppelin/contracts is v4.9.3 but openzeppelin-upgrades is still using v4.8.3:

openzeppelin-upgrades/packages/core/package.json

Line 41 in 483a43f

"@openzeppelin/contracts": "4.8.3",

You should keep it up-to-date.

[ericglau]

While some source files have been modified (including for contracts that the proxies depend on) between OpenZeppelin Contracts v4.8.3 and v4.9.3, those specific changes were not deemed to affect proxy functionality.

We generally do not update the version of the proxies used in the Hardhat plugin unless there are changes that affect the proxies. Updating the versions unnecessarily (if functionality does not change) would cause more difficulties for users.

For example, a benefit of keeping proxy bytecode the same is that many proxy deployments would automatically have "Similar Match Source Code" verified on Etherscan and related block explorers if they were verified by other users before.

As another example, the Hardhat plugin (as mentioned above) verifies proxy source code with the same bytecode that it deploys. If a user deploys a proxy but did not verify it, then updates the plugin with updated proxy source code, the verify task would not work because the plugin's updated proxy source code does not match with what was previous deployed. There is an issue #674 to improve this.