The Future of Upgradable Contracts: Modular vs. Monolithic

The original OZ pattern that routes all calls through a proxy, checking the caller against an admin address for every single transaction. This creates a persistent gas overhead for all users.

• Key Drawback: ~2.4k-5k gas overhead on every user call for admin checks.
• Security Model: Centralized admin key is a single point of failure and a high-value target.

Universal Upgradeable Proxy Standard embeds upgrade logic in the implementation contract itself, not the proxy. This removes the per-call admin check overhead, making it the most gas-efficient mainstream pattern.

• Key Benefit: Zero runtime gas overhead for regular users after deployment.
• Critical Risk: If the implementation lacks upgrade function or has a bug, the proxy is permanently frozen. Used by major protocols like Aave and Compound.

EIP-2535 introduces a proxy that maps function selectors to multiple logic contracts (facets). This enables modular, granular upgrades without full contract replacement.

• Key Benefit: Can upgrade/add specific functions without migrating $1B+ TVL.
• Key Cost: Significant +40% deployment gas and complex tooling. Adopted by NFTX and Aave Gotchi for extreme modularity.

The dominant solution, using a minimal proxy contract that delegates logic to a separate, mutable implementation. It's a trusted upgrade model where users must trust the admin key.

• Key Benefit: Enables seamless, low-gas user migrations and rapid feature iteration.
• Key Risk: Centralized admin key becomes a $10B+ single point of failure (see UST depeg, Compound governance bug).

A single proxy contract that can host multiple, swappable logic contracts (facets). This enables granular, function-level upgrades without full contract replacement.

• Key Benefit: Eliminates contract size limits and allows for modular, Lego-like protocol development.
• Key Trade-off: Introduces significant implementation complexity and audit surface; adopted by Aave Gotchi and early Frax Finance iterations.

The Uniswap V3 model: freeze the core AMM logic, but enable all new features via peripheral, upgradeable manager contracts. Users opt-in to new risk.

• Key Benefit: Maximum trust minimization for core value (liquidity), while permitting innovation on the edges (e.g., UniswapX).
• Key Constraint: Can lead to fragmented liquidity and UX across different peripheral services.

Not a technical pattern, but a critical procedural control. All upgrades are proposed via governance and execute only after a mandatory delay (e.g., 2-7 days).

• Key Benefit: Provides a last-resort escape hatch for users to exit before a potentially malicious upgrade.
• Key Reality: Creates a strategic lag in responding to exploits, as seen in multiple Compound and MakerDAO incidents.

In the Cosmos ecosystem, CosmWasm smart contracts have upgradeability baked into the VM layer. Governance votes can directly migrate contract code.

• Key Benefit: Standardized, chain-level primitive removes custom proxy logic and reduces audit blind spots.
• Key Differentiator: Upgrades are permissioned by governance, not a single admin key, aligning with the chain's political philosophy.

The frontier: upgrade mechanisms where new logic must cryptographically prove its correctness relative to the old (e.g., via validity proofs or on-chain verification).

• Key Benefit: Moves from social consensus (trust the multisig) to cryptographic consensus (trust the proof).
• Key Projects: Early R&D in zk-rollup upgrade frameworks and Arbitrum Stylus, which allows new WASM precompiles via governance.

EIP-2535 'Diamonds' enable granular function upgrades via facets, but they centralize immense power. A single malicious or buggy facet upgrade can compromise the entire contract's $10B+ TVL. This creates paralyzing governance overhead and a massive attack surface for state corruption.

• Key Benefit 1: Granular, function-level hot-swapping.
• Key Benefit 2: Avoids contract size limits and storage collisions.

Separate volatile logic from immutable core state. Inspired by Uniswap v4 hooks and dYdX v4, this pattern deploys new logic contracts while a minimal, audited proxy routes calls. The state contract never changes, drastically reducing upgrade risk.

• Key Benefit 1: Core state and asset custody are immutable and secure.
• Key Benefit 2: New features deploy as independent, disposable contracts.

A full contract replacement (monolithic upgrade) breaks all existing integrations. Every DEX aggregator, wallet, and frontend must update their addresses and ABIs. This creates network-wide coordination failure, freezing protocol liquidity and UX for days or weeks.

• Key Benefit 1: Clean-slate redesigns are possible.
• Key Benefit 2: Eliminates legacy code debt in one move.

Decouple storage layout from business logic. Use a permanent, structured storage contract (like Eternal Storage pattern) that all logic versions can read/write. Expose features through versioned API endpoints (e.g., swapV2, swapV3) to maintain backward compatibility.

• Key Benefit 1: Seamless, non-breaking upgrades for integrators.
• Key Benefit 2: Multiple logic versions can coexist and be A/B tested.

Whether a multi-sig, DAO, or time-lock, the entity holding upgrade authority is a high-value target for exploits and governance attacks. The $200M Nomad bridge hack stemmed from a flawed upgrade. This centralization contradicts decentralization promises and creates legal liability.

• Key Benefit 1: Clear accountability for changes.
• Key Benefit 2: Enables rapid response to critical bugs.

Adopt a Bitcoin/Litecoin model for the foundational money layer: make it immutable. For higher-layer logic (e.g., a DEX's fee switch), use opt-in, social consensus upgrades where users signal approval by migrating assets. This is the ultimate expression of credible neutrality.

• Key Benefit 1: Unbreakable security guarantees for the base layer.
• Key Benefit 2: Upgrades require proven user demand, not just token votes.