A UUPS (Universal Upgradeable Proxy Standard) proxy is a smart contract architecture pattern that enables a contract's logic to be upgraded while preserving its state and address. Unlike the traditional Transparent Proxy pattern, the upgrade authorization and execution logic in UUPS is located within the implementation contract (the logic contract), not the proxy. This design makes the proxy contract itself simpler, smaller, and more gas-efficient. The proxy delegates all function calls to the implementation contract using the delegatecall opcode, which executes the logic in the context of the proxy's storage.
LABS
Glossary
UUPS Proxy
A UUPS (Universal Upgradeable Proxy Standard) Proxy is a smart contract upgrade pattern where the upgrade authorization and logic reside in the implementation contract itself, not the proxy.
Chainscore © 2026
definition
SMART CONTRACT ARCHITECTURE
What is a UUPS Proxy?
A UUPS (Universal Upgradeable Proxy Standard) is a smart contract upgrade pattern where the upgrade logic resides in the implementation contract itself, not the proxy.
The key mechanism enabling upgrades in UUPS is a function within the implementation, typically named upgradeTo(address newImplementation). This function updates the proxy's stored pointer to the new logic contract. Because this function is part of the implementation, it can itself be upgraded or removed in a future version, offering significant flexibility. However, this also introduces a critical risk: if an implementation is deployed without the upgrade function, the proxy becomes forever frozen and immutable. This is a fundamental security consideration when using the UUPS pattern.
UUPS proxies, defined by EIP-1822, offer distinct advantages. Their primary benefit is reduced gas cost for users, as the proxy avoids storage slot clashes and the overhead of an admin fallback function. This makes them particularly suitable for gas-optimized applications like tokens (e.g., many modern ERC-20 implementations). Developers must carefully manage upgradeability ownership and access control, often inheriting from libraries like OpenZeppelin's UUPSUpgradeable to include necessary security checks and prevent accidental lock-up of the proxy.
etymology
PROXY PATTERN EVOLUTION
Etymology & Origin
The term **UUPS Proxy** originates from a specific technical implementation within the Ethereum smart contract ecosystem, representing an evolution of the standard proxy pattern to optimize for gas efficiency and upgradeability.
UUPS stands for Universal Upgradeable Proxy Standard. It is a smart contract architectural pattern where the upgrade logic is stored not in a separate administrative contract (a ProxyAdmin), but directly within the implementation contract itself. This design was formally proposed and standardized in EIP-1822, authored by Gabriel Barros and Patrick Gallagher, as a gas-efficient alternative to the more traditional Transparent Proxy pattern. The 'universal' aspect denotes its aim to be a standardized, reusable solution for upgradeable contracts.
The key etymological and functional distinction lies in the location of the upgrade authorization mechanism. In a Transparent Proxy, a fallback function routes calls to an implementation address, and a separate admin contract controls upgrades. In UUPS, this admin logic is upgradeable and resides in the implementation, making the proxy contract itself simpler and less expensive to deploy. The pattern leverages the fact that when a proxy delegates a call to its implementation, the implementation's code executes in the proxy's storage context, allowing it to modify the proxy's stored logic address.
This design shift was driven by the need for gas optimization, especially for users interacting with the proxy. Because the proxy contract has no upgrade logic of its own, there is no overhead for checking if the caller is an admin on every transaction. The trade-off is that upgrade capability becomes a feature of the logic contract, which means a UUPS implementation must always include and preserve its upgrade functions in all subsequent versions, or risk permanently locking the system.
how-it-works
UPGRADEABLE CONTRACT PATTERN
How a UUPS Proxy Works
A UUPS (Universal Upgradeable Proxy Standard) is a smart contract pattern where the upgrade logic is stored in the implementation contract itself, rather than in the proxy.
A UUPS (Universal Upgradeable Proxy Standard) proxy is a smart contract pattern that delegates all logic and storage to a separate implementation contract, while holding the upgrade authorization logic within that implementation. Unlike the traditional Transparent Proxy pattern, which stores upgrade functions in the proxy itself, UUPS moves this responsibility to the logic contract. This design results in a smaller, more gas-efficient proxy contract because it eliminates the need for a proxy admin or built-in upgrade methods. The proxy's primary role is to forward, or delegatecall, to the current implementation address stored in its defined storage slot.
The core mechanism enabling upgrades is the upgradeTo(address newImplementation) function, which must be present in the implementation contract's code. When called, this function updates the proxy's stored implementation address. Crucially, this function is protected by access controls (like onlyOwner) to prevent unauthorized upgrades. Because the upgrade logic resides in the implementation, developers must ensure that every subsequent implementation retains a compatible upgrade function; omitting it would permanently lock the contract, making it non-upgradeable. This is a key security consideration when authoring UUPS-compliant contracts.
From a storage perspective, UUPS proxies use unstructured storage to avoid clashes between the proxy and implementation. The implementation address is stored at a specific, pseudorandom slot defined by bytes32(uint256(keccak256('eip1967.proxy.implementation')) - 1). This prevents any variable in the logic contract from accidentally overwriting this critical pointer. When a user interacts with the proxy address, the proxy uses a delegatecall, which executes the implementation's code in the context of the proxy's storage. This means all state (user balances, settings) is permanently held by the proxy, while the logic defining that state can be swapped out.
The primary advantage of UUPS over a Transparent Proxy is reduced gas cost for regular function calls, as the proxy doesn't need to check if the caller is an admin on every invocation. This makes UUPS the preferred standard for gas-optimized applications. However, it introduces the responsibility of maintaining upgradeability in the logic layer. Prominent standards like ERC-1967 formalize the storage slots for the implementation and admin, providing a reliable foundation for UUPS proxies. Major protocols and tools, including OpenZeppelin's contracts library, offer audited implementations of this pattern.
key-features
UPGRADEABLE SMART CONTRACTS
Key Features of UUPS Proxiles
UUPS (Universal Upgradeable Proxy Standard) is an Ethereum standard (EIP-1822) where upgrade logic is stored in the implementation contract itself, not the proxy. This design offers distinct advantages and considerations for developers.
01
Implementation-Housed Logic
The core mechanism of a UUPS proxy is that the upgrade logic (the upgradeTo function) is part of the implementation contract's code, not the proxy's. This makes the proxy contract itself smaller and more gas-efficient to deploy. The proxy delegates all calls to the implementation, which also contains the function to point the proxy to a new implementation address.
02
Gas Efficiency on Deployment
Because the proxy contract is minimal—containing only a storage slot for the implementation address and a fallback function for delegatecall—it costs significantly less gas to deploy than a comparable Transparent Proxy. This is a primary advantage for projects deploying many proxy instances, such as for NFTs or user accounts.
03
Critical Self-Destruct Risk
A major security consideration is that the upgrade authority resides in the implementation. If an upgrade introduces a bug or a malicious function that calls selfdestruct on the implementation, the proxy's logic is permanently destroyed, locking all associated funds and state. This risk must be mitigated through rigorous testing and access controls.
04
Initialization Patterns
Like all proxies, UUPS contracts require a mechanism to initialize state variables, as constructors are not effective in a proxy context. Developers use an initializer function (e.g., initialize) guarded by an initializer modifier (often from OpenZeppelin libraries) to prevent re-initialization attacks and set up the contract's initial state.
05
Access Control for Upgrades
The upgradeTo function in the implementation must be protected by robust access control, typically using a role-based system like OpenZeppelin's Ownable or AccessControl. This ensures only authorized addresses (e.g., a multi-signature wallet or DAO) can perform upgrades, which is critical for decentralization and security.
06
Storage Collision Avoidance
Proxies and implementations share the same storage layout. UUPS implementations must carefully manage their storage variables to avoid collisions with the proxy's own storage slot (which holds the implementation address). Using structured storage libraries (like OpenZeppelin's ERC1967Upgrade) is a standard practice to safely append new variables in upgrades.
UPGRADEABLE PROXY ARCHITECTURE
UUPS vs. Transparent Proxy Pattern
A technical comparison of the two primary patterns for building upgradeable smart contracts on Ethereum.
| Feature / Metric | UUPS (Universal Upgradeable Proxy Standard) | Transparent Proxy Pattern |
|---|---|---|
Proxy Storage Overhead | Logic contract stores upgrade logic | Proxy contract stores upgrade logic |
Proxy Bytecode Size | ~0.6 KB (smaller) | ~2.4 KB (larger) |
Upgrade Function Location | In the logic (implementation) contract | In the proxy contract |
Gas Cost for Regular Calls | ~2,400 gas (lower) | ~2,800 gas (higher) |
Gas Cost for Admin Calls | ~21,000 gas (lower) | ~24,000 gas (higher) |
Upgrade Mechanism | delegatecall to | Admin calls |
Inherent Security Risk | Higher (logic can be self-destructed) | Lower (proxy admin is separate) |
Implementation Contract | Must be upgradeable-aware | Can be completely immutable |
security-considerations
UUPS PROXY
Security Considerations & Risks
The UUPS (Universal Upgradeable Proxy Standard) pattern centralizes upgrade logic in the implementation contract, creating unique security considerations distinct from traditional proxy designs.
01
Implementation Contract Self-Destruct
The most critical risk in UUPS is that the implementation contract itself contains the upgradeTo function. A malicious or buggy upgrade could include a selfdestruct call, which would destroy the implementation logic and brick all proxy instances relying on it, permanently freezing user funds. This is a key difference from the Transparent Proxy pattern, where the proxy admin is a separate contract.
02
Initializer Function Replay
Since UUPS proxies use initializer functions instead of constructors, they are vulnerable to replay attacks if not properly secured. Key safeguards include:
- Using the
initializermodifier from OpenZeppelin Contracts. - Ensuring the initializer can only be called once.
- Protecting the initializer with access controls if initialization parameters are sensitive.
03
Upgrade Authorization & Timelocks
The authority to call upgradeTo must be rigorously controlled. Best practices involve:
- Using a multi-signature wallet or DAO vote for upgrade approvals.
- Implementing a timelock contract between the governance mechanism and the proxy. This introduces a mandatory delay, allowing users to review code changes or exit the system before a potentially harmful upgrade is executed.
04
Storage Collision Hazards
Upgrades must preserve the storage layout compatibility between old and new implementations. In UUPS, both the proxy and implementation share the same storage slot. An incompatible upgrade that reorders or modifies state variable declarations can lead to critical data corruption, where variables read from incorrect storage slots. Tools like slither or manual storage layout checks are essential.
05
Function Selector Clashing
The upgradeTo and upgradeToAndCall functions in the implementation must not conflict with other public/external functions. A function selector clash occurs if a new function's 4-byte signature matches the upgrade function's selector (e.g., upgradeTo(address) = 0x3659cfe6). This would prevent the upgrade function from being called, potentially locking the system. The UUPS implementation should reserve these selectors.
06
Implementation Contract Verification
The logic contract's source code must be verified on-chain (e.g., Etherscan). An unverified implementation is a major red flag, as it hides the actual upgrade logic from users and auditors. Furthermore, the implementation contract's address should be immutable and point to a non-upgradeable, deployed contract to prevent an attacker from swapping the implementation pointer before a proxy calls it.
code-example
UUPS PROXY
Code Example Structure
This section details the standard structure for a code example demonstrating a UUPS (Universal Upgradeable Proxy Standard) implementation, a pattern for upgradeable smart contracts on Ethereum.
A typical UUPS proxy code example is structured to clearly separate the proxy contract, the logic contract, and the upgrade mechanism. The proxy is a minimal contract that delegates all calls to a logic contract address stored in its state, using the delegatecall opcode. The logic contract contains the core business logic and, crucially, a function to upgrade the proxy's pointer to a new logic implementation, following the EIP-1822 standard.
The example will first define the logic contract (implementation). This contract inherits from a base class like ERC1967Upgrade and includes a _authorizeUpgrade function, which contains the access control logic (e.g., onlyOwner). It also contains the standard business functions the proxy will expose. A constructor is often included but is irrelevant for the proxied instance, as it is never executed in the context of the proxy.
Next, the proxy contract is shown. It is usually a very short contract that inherits from ERC1967Proxy. Its constructor takes two arguments: the address of the initial logic implementation and optional initialization call data. It then calls the ERC1967Proxy constructor, which stores the implementation address and performs any initial setup call. The proxy itself has no upgrade logic; that responsibility resides in the logic contract.
The example typically concludes with a deployment and interaction script (in JavaScript/TypeScript using ethers.js or web3.js). This script demonstrates: deploying the logic contract first, then deploying the proxy with the logic address, and finally interacting with the proxy as if it were the logic contract. A subsequent upgrade is shown by deploying a new logic contract (V2) and calling the upgradeTo function on the proxy, which is actually executed in the proxy's context via the logic defined in the first implementation.
Key elements to highlight in the structure include the use of transparent proxies vs. UUPS, emphasizing that in UUPS the upgrade function is in the logic contract, reducing proxy overhead. The example should also note the critical security practice of initializing the contract via an initialize function instead of a constructor, and the importance of properly securing the _authorizeUpgrade function to prevent unauthorized upgrades.
ecosystem-usage
UPGRADEABLE CONTRACTS
Ecosystem Usage & Adoption
UUPS (Universal Upgradeable Proxy Standard) is the dominant pattern for building upgradeable smart contracts, allowing developers to fix bugs and add features post-deployment. Its adoption is driven by gas efficiency and security best practices.
02
Gas Efficiency & Cost Savings
A primary driver for UUPS adoption is its gas efficiency. Because the proxy delegatecalls to a separate implementation, and the upgrade logic is in the implementation itself, the proxy contract is simpler and cheaper to deploy. This results in significant cost savings, especially for protocols that deploy many instances (e.g., minimal proxy clones for user vaults). The savings are realized both in initial deployment and during upgrade execution.
03
Security & The `_authorizeUpgrade` Hook
UUPS places critical security responsibility on the developer. The pattern requires the implementation to include an internal **_authorizeUpgrade(address newImplementation)** function. This function must contain all the access control logic (e.g., onlyOwner, onlyGovernance). Forgetting to implement this function, or implementing it incorrectly, can leave the contract permanently un-upgradeable or, worse, allow unauthorized upgrades. Auditors heavily scrutinize this function.
05
The Self-Destruct Risk
A unique risk of the UUPS pattern is that the implementation contract can self-destruct. Since the upgrade function logic lives in the implementation, a malicious or buggy upgrade could call selfdestruct on the implementation, which would break all proxies pointing to it (rendering them useless). This contrasts with the Transparent Proxy pattern, where the proxy itself holds the upgrade logic and is immune to implementation self-destruction. This risk must be mitigated through rigorous auditing and access controls.
06
Integration with Proxy Factories & Clones
UUPS is frequently combined with proxy factory patterns (like EIP-1167 minimal proxies) for scalable systems. A factory deploys a lightweight UUPS proxy that points to a single, upgradeable implementation. This allows a protocol to deploy thousands of gas-efficient, identical contracts (e.g., for individual user positions or vaults) where the logic for all can be upgraded in a single transaction by updating the shared implementation address. This is a common architecture in yield aggregators and decentralized asset management platforms.
DEBUNKED
Common Misconceptions About UUPS
Universal Upgradeable Proxy Standard (UUPS) proxies are a powerful tool for smart contract upgradeability, but several persistent myths can lead to critical security and design flaws. This section clarifies the most frequent misunderstandings.
Yes, a UUPS proxy is generally more gas-efficient for end-users than a Transparent proxy pattern. The primary gas saving comes from eliminating the proxy's overhead of checking whether the caller is the admin for every function call. In the Transparent Proxy pattern, the proxy contract must perform a conditional check (if (msg.sender == admin)) on every single call to determine if it should delegate to the logic contract or execute an admin function. The UUPS pattern moves all upgrade logic into the implementation contract itself, so the proxy performs a simple, low-cost delegatecall for all user transactions. This results in a consistent ~2,700 gas saving per function call for users, as the admin check is only paid during the actual upgrade transaction.
UUPS PROXY
Frequently Asked Questions (FAQ)
A UUPS (Universal Upgradeable Proxy Standard) is a modern smart contract upgrade pattern where the upgrade logic resides in the implementation contract itself, not the proxy. These questions address its core mechanics, security, and differences from other patterns.
A UUPS (Universal Upgradeable Proxy Standard) is an upgradeable smart contract pattern where the logic for performing upgrades is built into the implementation contract itself, rather than the proxy. The proxy contract stores the address of the current implementation contract and delegates all function calls to it via delegatecall. To upgrade, a new implementation contract is deployed, and a specific function (e.g., upgradeTo) on the current implementation is called through the proxy, which updates the proxy's stored implementation address. This design makes the proxy contract smaller and more gas-efficient, as it contains no upgrade logic of its own.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall