Merge branch 'master' into feat/access-manager-enumerable

Author: Amxx

.changeset/full-emus-hear.md

@@ -0,0 +1,5 @@
+---
+'openzeppelin-solidity': minor
+---
+
+`Account`: Update default version of the ERC-4337 entrypoint to v0.9.

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 ### Breaking changes
 
+- `ERC1967Proxy` and `TransparentUpgradeableProxy`: Mandate initialization during construction. Deployment now reverts with `ERC1967ProxyUninitialized` if an initialize call is not provided. Developers that rely on the previous behavior and want to disable this check can do so by overriding the internal `_unsafeAllowUninitialized` function to return true.
+- `ERC721` and `ERC1155`: Prevent setting an operator for `address(0)`. In the case of `ERC721` this type of operator allowance could lead to obfuscated mint permission.
 - `RLP`: The `encode(bytes32)` function now encodes `bytes32` as a fixed size item and not as a scalar in `encode(uint256)`. Users must replace calls to `encode(bytes32)` with `encode(uint256(bytes32))` to preserve the same behavior.
 
 ## 5.5.0 (2025-10-31)

contracts/account/Account.sol

@@ -50,7 +50,7 @@ abstract contract Account is AbstractSigner, IAccount {
      * @dev Canonical entry point for the account that forwards and validates user operations.
      */
     function entryPoint() public view virtual returns (IEntryPoint) {
-        return ERC4337Utils.ENTRYPOINT_V08;
+        return ERC4337Utils.ENTRYPOINT_V09;
     }
 
     /**

contracts/account/utils/draft-ERC4337Utils.sol

@@ -27,6 +27,9 @@ library ERC4337Utils {
     /// @dev Address of the entrypoint v0.8.0
     IEntryPoint internal constant ENTRYPOINT_V08 = IEntryPoint(0x4337084D9E255Ff0702461CF8895CE9E3b5Ff108);
 
+    /// @dev Address of the entrypoint v0.9.0
+    IEntryPoint internal constant ENTRYPOINT_V09 = IEntryPoint(0x433709009B8330FDa32311DF1C2AFA402eD8D009);
+
     /// @dev For simulation purposes, validateUserOp (and validatePaymasterUserOp) return this value on success.
     uint256 internal constant SIG_VALIDATION_SUCCESS = 0;
 

contracts/mocks/proxy/ERC1967ProxyUnsafe.sol

@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: MIT
+
+pragma solidity ^0.8.22;
+
+import {ERC1967Proxy} from "../../proxy/ERC1967/ERC1967Proxy.sol";
+
+contract ERC1967ProxyUnsafe is ERC1967Proxy {
+    constructor(address implementation, bytes memory _data) payable ERC1967Proxy(implementation, _data) {}
+
+    function _unsafeAllowUninitialized() internal pure override returns (bool) {
+        return true;
+    }
+}

contracts/proxy/ERC1967/ERC1967Proxy.sol

@@ -13,17 +13,28 @@ import {ERC1967Utils} from "./ERC1967Utils.sol";
  * implementation behind the proxy.
  */
 contract ERC1967Proxy is Proxy {
+    /**
+     * @dev The proxy is left uninitialized.
+     */
+    error ERC1967ProxyUninitialized();
+
     /**
      * @dev Initializes the upgradeable proxy with an initial implementation specified by `implementation`.
      *
-     * If `_data` is nonempty, it's used as data in a delegate call to `implementation`. This will typically be an
-     * encoded function call, and allows initializing the storage of the proxy like a Solidity constructor.
+     * Provided `_data` is passed in a delegate call to `implementation`. This will typically be an encoded function
+     * call, and allows initializing the storage of the proxy like a Solidity constructor. By default construction
+     * will fail if `_data` is empty. This behavior can be overridden using a custom {_unsafeAllowUninitialized} that
+     * returns true. In that case, empty `_data` is ignored and no delegate call to the implementation is performed
+     * during construction.
      *
      * Requirements:
      *
      * - If `data` is empty, `msg.value` must be zero.
      */
     constructor(address implementation, bytes memory _data) payable {
+        if (!_unsafeAllowUninitialized() && _data.length == 0) {
+            revert ERC1967ProxyUninitialized();
+        }
         ERC1967Utils.upgradeToAndCall(implementation, _data);
     }
 
@@ -37,4 +48,15 @@ contract ERC1967Proxy is Proxy {
     function _implementation() internal view virtual override returns (address) {
         return ERC1967Utils.getImplementation();
     }
+
+    /**
+     * @dev Returns whether the proxy can be left uninitialized.
+     *
+     * NOTE: Override this function to allow the proxy to be left uninitialized.
+     * Consider uninitialized proxies might be susceptible to man-in-the-middle threats
+     * where the proxy is replaced with a malicious one.
+     */
+    function _unsafeAllowUninitialized() internal pure virtual returns (bool) {
+        return false;
+    }
 }

contracts/token/ERC1155/ERC1155.sol

@@ -356,6 +356,9 @@ abstract contract ERC1155 is Context, ERC165, IERC1155, IERC1155MetadataURI, IER
      * - `operator` cannot be the zero address.
      */
     function _setApprovalForAll(address owner, address operator, bool approved) internal virtual {
+        if (owner == address(0)) {
+            revert ERC1155InvalidApprover(address(0));
+        }
         if (operator == address(0)) {
             revert ERC1155InvalidOperator(address(0));
         }

contracts/token/ERC721/ERC721.sol

@@ -407,6 +407,9 @@ abstract contract ERC721 is Context, ERC165, IERC721, IERC721Metadata, IERC721Er
      * Emits an {ApprovalForAll} event.
      */
     function _setApprovalForAll(address owner, address operator, bool approved) internal virtual {
+        if (owner == address(0)) {
+            revert ERC721InvalidApprover(address(0));
+        }
         if (operator == address(0)) {
             revert ERC721InvalidOperator(operator);
         }

contracts/utils/Base64.sol

@@ -208,7 +208,7 @@ library Base64 {
                 // slither-disable-next-line incorrect-shift
                 if iszero(and(shl(d, 1), 0xffffffd0ffffffc47ff5)) {
                     mstore(0, errorSelector)
-                    mstore(4, add(d, 43))
+                    mstore(4, shl(248, add(d, 43)))
                     revert(0, 0x24)
                 }