Migrating to aragonOS 4 from aragonOS 3
Last updated
Was this helpful?
Aragon Legacy Documentation
Last updated
Was this helpful?
All contracts inheriting from AragonApp must now use at least pragma solidity 0.4.24.
All AragonApps must now be initialized before they can be used to prevent uninitialized contracts that may be maliciously initialized by someone else. Trying to access auth() or authP() protected functionality in uninitialized apps will now revert.
If your app didn't already require initialization then you'll need to include the following function in your app:
And use it in a template when installing the app:
To optimize the gas costs of deploying base and proxy contracts as well as simplify public interfaces on tools like etherscan, we've pruned most public constants that would be unnecessary on-chain. This is most likely to only affect any existing tests that expect some constants to be exposed publicly in your contract and can be fixed by either creating mocks or duplicating the constants in the tests.
An argument was added to the longer overloads of newAppInstance() and newPinnedAppInstance() to include an initialization payload so the new proxy instance could be created and initialized in one atomic call. The new arguments list for the longer overloads is (byte32 appId, address appBase, bytes initializePayload, bool setDefault).
AragonApp.getExecutor(bytes) has been renamed getEVMScriptExecutor(bytes) and has getEVMScriptRegistry() exposed alongside it.
By default, all AragonApps are petrified on deployment and can only be used behind a proxy.
AragonApps that use any functionality requiring a Kernel (e.g. auth(), EVMScripts, or the recovery mechanism) now require the app instance to be connected to a Kernel. Frankly, if you're not using any of this functionality, you probably shouldn't be inheriting from AragonApp.
The old behaviour used to be that functionality protected by the auth() or authP() modifiers could still be invoked if the app instance wasn't connected to a Kernel. This was unexpected and confusing behaviour, possibly leading to dangerous situations, and was removed.
Using AragonApp.runScript(bytes, bytes, address[]) requires an application to be initialized, and each EVMScript executor contract now also checks if its caller has been initialized to prevent malicious misuse from unintended users.
Both DelegateScript and DeployDelegateScript were found to be insecure and have been removed. Although they were still protected by the ACL, the potential for damage was too high due to the fact that they delegatecalled into a user-submitted address.
All AragonApps now have built-in ETH and token recoverability in case they accidentally receive value. A transferToVault(address) interface is exposed externally to allow someone to send the tokens held by an app instance to the default vault set in the Kernel.
An allowRecoverability(address) hook is exposed to allow overloading in AragonApp subclasses to control the recoverability behaviour. For example, if an application is meant to hold tokens or ETH, it should turn off the recoverability behaviour for any accepted tokens so they can't be maliciously transferred to another app, even if it is the default vault.
By default, it is impossible to send ETH to an app proxy instance (assuming it is one of AppProxyUpgradeable or AppProxyPinned) through a gas-limited .send() or .transfer(). This only applies to proxy instances because you can always declare your own payable fallback in AragonApp subclasses.
If your application would like its proxies to be able to directly receive ETH through .send() or .transfer(), however, you can use AragonApp.setDepositable(true) at some point to enable this functionality.
Good example use cases of this are in applications that need to hold value like a vault or fundraising contract. A vault would always want to accept direct transfers so it calls setDepositable(true) upon initialization. A fundraising application, however, would likely only want to enable it for the duration of the fundraising period, so it only calls setDepositable(true) as the period starts and calls setDepositable(false) when the period ends.
The auth() and authP() modifiers now also check for isInitialized() so you don't have to use both modifiers anymore.
The Kernel's storage of apps and their namespacing was revamped to use a mapping of a mapping approach rather than a single mapping whose key was derived from a hash of the namespace and app name.
This is not only cheaper but also makes inspection and debugging much easier as the storage location for a particular app requires less steps to derive.
KernelConstants has also been split into and , although it is unlikely your app was directly inheriting from KernelConstants.
This was chosen as a sane default as it is unlikely you'd want to directly deploy, install, and use a base contract instance of an app rather than a proxy instance, but it is also possible to turn this off by inheriting from instead.
The and implementations were removed. You should import these contracts into your own project if you would like to continue to use them.
If you'd like to see what this looks like in practice, you can visit .
All the apps in were upgraded to aragonOS 4. Most have not changed much with very few external interface differences. If you were using old versions of them such as in an organization template, however, then you may have to adjust to small differences in their APIs.
The most notable change is with the which was massively simplified and made much easier to secure than the previous implementation. If you had trouble integrating with the previous Vault, this one should be much simpler to use and understand.
For more information see the .
It is recommended to use the new and utilities to safely get values for time variables (e.g. now) and convert between uint units. These also provide a standard interface that allow you to easily create mocks for changing the time returned during testing.
is also recommended to use as the "address" for ETH when an application can handle both tokens and ETH.
App proxies ( and ) are now implemented through .
This means contracts inheriting from AragonApp now start their storage directly from rather than an arbitrary value (in aragonOS 3 it was slot 100), making it much easier to inspect, debug, and swap out proxy implementations. This also makes it much easier for aragonOS to add more functionality in the future without requiring data migrations.
As pointed out at , mappings of structs are much easier to upgrade at later dates than arrays of structs because the data isn't packed tightly. All aragonOS internal and official aragon apps now use this pattern of emulating arrays through mappings.