How to Manage Upgrades on Non-EVM Runtimes

introduction

GUIDE

Introduction to Non-EVM Runtime Upgrades

Learn how to manage on-chain logic changes for blockchains built with Substrate, Cosmos SDK, and other non-EVM frameworks.

Runtime upgrades are a core feature of modern, modular blockchains, allowing for seamless, forkless updates to the network's logic. Unlike Ethereum Virtual Machine (EVM) chains where upgrades often require hard forks or complex proxy patterns, non-EVM runtimes like Substrate's WebAssembly (Wasm) runtime or the Cosmos SDK's application-specific blockchain are designed for on-the-fly evolution. This capability enables developers to deploy new pallets (Substrate), modules (Cosmos), or consensus mechanisms without disrupting the network's state or requiring node operators to manually update client software. The upgrade is proposed, voted on via governance, and enacted automatically.

The technical foundation for forkless upgrades in Substrate is its WebAssembly-based execution environment. The runtime logic is compiled to a Wasm blob stored on-chain. When a valid upgrade proposal is approved, nodes switch to executing the new Wasm code. Key tools for developers include the sudo pallet for emergency upgrades in permissioned setups and the democracy or collective pallets for decentralized governance. The process typically involves: 1) Writing and testing new runtime logic, 2) Building a new runtime Wasm blob (target/release/wbuild/<runtime>/<runtime>.compact.wasm), 3) Submitting an authorizeUpgrade or setCode extrinsic via a governance proposal.

For Cosmos SDK chains, upgrades are managed through the x/upgrade module. The process is governance-led and involves submitting a SoftwareUpgradeProposal. A successful vote triggers an upgrade at a predetermined block height. Node operators must manually replace the binary before that height. The upgrade handler in app.go defines how the application migrates state between versions. A critical step is implementing the BeginBlock method from the upgrade module to execute migration logic. Unlike Substrate's on-chain Wasm, Cosmos upgrades require binary coordination, making community communication essential.

Managing upgrades requires rigorous testing to prevent chain halts. Use testnets like Rococo (Substrate) or public test chains (Cosmos) to simulate the upgrade process end-to-end. For Substrate, test the upgrade in a local try-runtime environment to verify state migrations. Key risks include: introducing a bug in the new runtime logic, flawed migration logic that corrupts state, or insufficient lead time for node operators to update binaries (in Cosmos). Always include comprehensive documentation for validators detailing the upgrade height and new binary version.

Successful runtime upgrades are a hallmark of mature blockchain projects. Examples include Polkadot's frequent runtime upgrades to add new features like nomination pools, or Cosmos Hub's Vega upgrade which implemented Interchain Security. By leveraging built-in upgrade mechanisms, developers can iteratively improve protocol economics, security, and functionality. The process underscores a shift from hard-fork coordination to programmable, community-governed blockchain evolution.

prerequisites

NON-EVM RUNTIMES

Prerequisites for Managing Upgrades

Upgrading smart contracts on non-EVM blockchains requires a different set of tools and concepts than the familiar proxy patterns of Ethereum. This guide covers the foundational knowledge needed before implementing an upgrade.

Unlike the EVM, where upgrade patterns like the Transparent Proxy or UUPS are standardized, non-EVM runtimes such as CosmWasm, Move, and FuelVM have their own native paradigms for code mutability. The core prerequisite is understanding your chain's specific state migration model. On CosmWasm, you upload a new code ID and migrate existing contracts to it. In Move, you publish new modules and use code::publish and code::migrate functions. Each approach has distinct implications for storage layout, authorization, and backward compatibility that must be planned for.

You must have a deep familiarity with your chosen runtime's module and package management. For instance, managing upgrades on a Solana program requires understanding the BPF loader and program-derived addresses (PDAs) for authority. On Aptos or Sui using Move, you need to grasp package publishing, the Move.toml manifest, and how the upgrade_policy dictates compatibility. Setting up a local testnet or devnet that mirrors mainnet behavior is essential for dry-running the entire upgrade lifecycle, from building and publishing the new bytecode to executing the migration function.

Security and access control are paramount. Before any upgrade, you must establish and secure the upgrade authority. This is often a multisig account or a decentralized governance module like Cosmos SDK's x/gov. You need to configure this authority in your contract's instantiation message or module manifest. Furthermore, you should implement and test a pause mechanism or migration controller within the contract logic itself, allowing authorized actors to halt operations during the upgrade window, preventing state corruption.

Finally, comprehensive testing cannot be overstated. You need a testing strategy that covers: unit tests for the new logic, integration tests that deploy and migrate a mock contract state, and simulation tests that replay mainnet state transitions. Tools like cargo-test for CosmWasm Rust contracts or the Move Prover for formal verification are critical. Always maintain a detailed upgrade checklist and rollback plan, including steps to verify storage compatibility and to redeploy the previous version if the migration fails.

key-concepts-text

KEY CONCEPTS

How to Manage Upgrades on Non-EVM Runtimes

Managing smart contract or protocol upgrades on non-EVM blockchains like Solana, Cosmos, or Polkadot requires understanding their unique architectural paradigms.

Unlike the Ethereum Virtual Machine (EVM), where upgradeable contracts often rely on proxy patterns, non-EVM runtimes handle state and logic differently. For instance, Solana programs are typically immutable; "upgrades" involve deploying a new program and migrating state, a process managed by program-derived addresses (PDAs). On Cosmos SDK chains, upgrades are formalized through on-chain governance proposals that coordinate a halted network upgrade at a specific block height. These fundamental differences mean upgrade strategies are deeply integrated with each chain's consensus and execution model.

A common pattern across ecosystems is the use of migration scripts and versioned data structures. When deploying a new program version on Solana, you must write a script that deserializes the old account state, transforms it, and initializes new accounts for the upgraded program. Similarly, in Substrate-based chains (Polkadot), pallet logic can include migration hooks defined in a migrate function within the OnRuntimeUpgrade trait. This function executes automatically at the upgrade block, allowing for complex state transformations without manual intervention.

Security and governance are paramount. On permissionless Cosmos chains, a successful upgrade proposal requires a supermajority of staked tokens to vote "Yes," followed by validators manually upgrading their nodes. This process is slower but highly decentralized. In contrast, upgrade authority on Solana is often held by a program's upgrade authority keypair, which can be a multisig for security. A critical best practice is to thoroughly test state migrations on a testnet using a fork of mainnet state to avoid locking user funds or corrupting data.

Tooling and frameworks provide essential support. The Solana Program Library (SPL) offers utilities for managing program deployments. The Cosmos SDK's x/upgrade module handles the coordination logic for software upgrades. For Polkadot parachains, the Substrate FRAME system provides the scaffolding for runtime upgrades. Developers must familiarize themselves with these native tools, as generic Ethereum tooling like Hardhat or Foundry does not apply. Understanding chain-specific CLI commands for submitting governance proposals or deploying programs is a prerequisite.

Ultimately, managing upgrades on non-EVM chains is about planning for state continuity within immutable or versioned frameworks. Successful upgrades require: a clear migration path for all stored data, a secure and often decentralized governance mechanism to authorize the change, and comprehensive testing using chain-specific tooling to ensure a seamless transition for users and their assets.

COMPARISON

Upgrade Mechanisms by Runtime

A comparison of key upgradeability features and characteristics across major non-EVM blockchain runtimes.

Feature / Metric	CosmWasm (Cosmos SDK)	Move (Sui/Aptos)	Solana (BPF Loader)	Fuel (FuelVM)
Upgrade Model	Code ID Migration	Package Publishing	Program Redeployment	Stateful Contract Upgrades
State Migration Required
Admin-Only Upgrades
Governance-Controlled Upgrades
Upgrade Transaction Gas Cost	$5-20	$0.5-2	$2-10	$1-5
Backwards Compatibility Guarantee
Native Upgrade Hook Support
Default Immutable Deployment

PRACTICAL IMPLEMENTATION

Step-by-Step Upgrade Guides by Platform

Upgrade a Solana Program

Upgrading a Solana program (smart contract) requires deploying a new program binary and transferring authority.

Key Steps:

Build the new program: Compile your updated Rust or C code with cargo build-bpf.
Deploy the buffer: Upload the new program binary as a Buffer account using the Solana CLI: solana program write-buffer target/deploy/your_program.so.
Set upgrade authority: Ensure your deployer wallet is the current upgrade authority for the program.
Deploy & finalize: Use solana program deploy with the --upgrade-authority flag pointing to the buffer to replace the on-chain program. The Program Derived Address (PDA) and data accounts remain intact.

Critical Consideration: Solana programs are upgradeable by default. To make a program immutable, you must explicitly close the upgrade authority after deployment using solana program set-upgrade-authority --disable.

testing-strategy

TESTING AND VALIDATION STRATEGY

How to Manage Upgrades on Non-EVM Runtimes

A guide to the unique challenges and methodologies for testing and validating upgrades on blockchain runtimes like Solana, Cosmos, and Polkadot.

Managing upgrades on non-EVM runtimes requires a fundamentally different approach than on Ethereum. While EVM chains rely on a single, well-defined virtual machine, runtimes like Solana's Sealevel, Cosmos SDK modules, and Polkadot's FRAME pallets are compiled to native code. This means upgrades are not just about new contract logic but can involve changes to the runtime's core logic, consensus rules, or state transition function itself. A robust testing strategy must therefore validate the entire node software, not just individual smart contracts.

The first pillar of a non-EVM upgrade strategy is comprehensive integration testing. This involves running a local testnet or a canary network (like Polkadot's Westend or a Cosmos test chain) with the new runtime binary. The goal is to simulate the upgrade process end-to-end, including governance proposals, on-chain voting, and the final runtime switch. Tools like Solana's local validator, the Cosmos SDK's simapp, and Polkadot's Zombienet are essential for creating these realistic test environments. You must test not only successful upgrades but also rollback procedures in case of a failed migration.

For runtime logic written in frameworks like Substrate's FRAME, unit and integration tests are written in Rust. A typical test suite for a new pallet includes verifying storage migrations, ensuring event emissions are correct, and checking that new extrinsics (transactions) behave as expected. For example, testing a Cosmos SDK module upgrade involves writing Go tests that instantiate the module's keeper with a mock context and assert state changes. These tests are run against the source code before any binary is compiled for a testnet.

State migration is a critical and high-risk component of non-EVM upgrades. Unlike EVM contracts where storage layout is managed by the contract, runtime upgrades can require migrating the entire chain's state to a new format. Your validation must include dry-run migrations on a snapshot of mainnet state. On Substrate, this is done using the try-runtime pallet's commands (on-runtime-upgrade). On Cosmos chains, you write migration scripts in Go and test them against exported state. The output must be verified for correctness and performance to avoid chain halts.

Finally, a successful upgrade requires coordinated validation from node operators. Before the mainnet proposal, you must provide the upgrade binary's hash, detailed instructions, and the results of your testnet trials. Operators will typically run the new binary in a shadow fork mode, processing real-time mainnet blocks to catch any unforeseen issues. This decentralized validation layer is crucial for networks like Cosmos and Polkadot, where independent operators must manually upgrade their nodes. Clear communication and proven tooling are as important as the technical tests themselves.

NON-EVM UPGRADES

Common Mistakes and How to Avoid Them

Upgrading smart contracts on non-EVM runtimes like Solana, Cosmos, or Starknet introduces unique challenges. This guide addresses frequent pitfalls developers encounter and provides actionable solutions.

The most common upgrade failure on runtimes like Solana is an authority mismatch. The transaction must be signed by the upgrade authority private key, which is distinct from the deployer or payer key.

How to fix it:

Locate the authority: For Solana programs deployed with solana program deploy, the authority is stored in the keypair file (e.g., upgrade_authority-keypair.json).
Use the correct signer: Ensure the upgrade command explicitly uses this keypair: solana program deploy --keypair ./upgrade_authority-keypair.json program.so.
Check program data: Verify the current authority with solana program show <PROGRAM_ID>.

Failing to transfer upgrade authority to a multisig or DAO after initial deployment is a critical security oversight.

resource-links

GUIDES

Essential Tools and Documentation

Non-EVM runtimes implement upgrades using very different mechanisms than proxy-based smart contracts. These tools and references explain how upgrades work at the runtime, module, or program level and how to execute them safely in production networks.

Substrate Runtime Upgrades (Polkadot, Kusama, Parachains)

Substrate-based chains upgrade the entire blockchain runtime as a single Wasm blob instead of upgrading individual contracts.

Key mechanisms developers must understand:

Wasm runtime replacement: The runtime is compiled to Wasm and stored on-chain, then atomically swapped during an upgrade.
On-chain governance execution: Referenda or council-approved proposals trigger upgrades without hard forks.
Storage migrations: Runtime upgrades often require explicit migration code for storage layout changes.

Actionable steps:

Use frame_support::traits::OnRuntimeUpgrade to write deterministic migrations.
Test upgrades with try-runtime before submitting them on-chain.
Validate post-upgrade state using try-runtime --execution wasm against production state snapshots.

This model enables forkless upgrades but makes mistakes irreversible once governance executes the proposal.

EXPLORE

CosmWasm Contract and Chain Upgrades (Cosmos SDK)

CosmWasm supports contract-level upgrades while the Cosmos SDK handles chain-level binary upgrades.

Important upgrade paths:

Contract migrations: New contract code is uploaded and existing contracts migrate state via a migrate entry point.
Admin-controlled upgrades: Only the contract admin can perform upgrades unless ownership is renounced.
Chain upgrades: Coordinated validator restarts occur at a agreed block height using governance proposals.

Developer best practices:

Make all migrations idempotent and version-aware.
Store a contract version_info inside state and verify it during migrate.
Test upgrades using wasmd migrate on forked mainnet state.

CosmWasm’s explicit migration model makes state transitions auditable, but migration code becomes part of the contract’s long-term attack surface.

EXPLORE

Solana Program Upgrades with the BPF Upgradeable Loader

Solana programs are upgraded using the BPF Upgradeable Loader, which separates executable code from program state.

How upgrades work:

Programs are deployed with an upgrade authority key that can replace the program binary.
Program-derived addresses (PDAs) preserve state across upgrades.
Upgrades are live immediately once the new program is finalized on-chain.

Operational considerations:

Secure the upgrade authority using multisig or hardware wallets.
Remove upgrade authority (set to None) once the program is finalized.
Use feature flags in program logic to avoid breaking deployed clients.

Unlike EVM proxies, Solana upgrades replace the executable directly. A compromised upgrade authority can fully rewrite program logic, making authority management part of core security design.

EXPLORE

NEAR Protocol Contract Upgrades

NEAR allows contracts to upgrade themselves by deploying new Wasm code to the same account.

Upgrade model:

Contracts call env::deploy_contract to replace their own code.
Persistent state is stored separately and survives code replacement.
Access control logic must be implemented inside the contract itself.

Key implementation details:

Guard upgrade functions with strict access checks such as owner-only logic.
Perform schema migrations lazily on first access to avoid gas spikes.
Version state schemas internally and fail fast on incompatible formats.

Because NEAR upgrades are initiated by contract logic rather than external governance, most historical exploits come from missing or incorrect upgrade authorization checks rather than protocol-level bugs.

EXPLORE

Tezos On-Chain Governance and Protocol Upgrades

Tezos upgrades the protocol itself using built-in on-chain governance, avoiding hard forks entirely.

Governance process:

Bakers propose protocol amendments as code changes.
Multiple voting periods culminate in automatic activation.
The chain self-amends without validator coordination or downtime.

For protocol developers:

Amendments include both logic changes and migration code.
Economic parameters such as gas limits and baking rewards can change during upgrades.
Test amendments on Ghostnet before mainnet submission.

Tezos’ self-amending design pushes upgrade safety into formal proposal review and voting. Once activated, changes affect all users immediately, so backward compatibility and migration logic are critical.

EXPLORE

NON-EVM UPGRADES

Frequently Asked Questions

Common questions and solutions for managing smart contract upgrades on non-EVM runtimes like Solana, Cosmos, and Starknet.

The primary difference is the absence of a standardized proxy pattern like EIP-1967. Non-EVM runtimes handle upgrades through native runtime mechanisms.

Key distinctions:

Solana: Uses Program Derived Addresses (PDAs) and a set_authority instruction to change a program's upgrade authority. The executable code (BPF bytecode) at a program's address can be replaced by the authority.
Cosmos SDK: Relies on governance proposals and on-chain voting to approve and execute upgrades via the x/upgrade module, which schedules a switch to new blockchain binary at a specific block height.
Starknet: Employs a declare-deploy-replace model. A new class hash is declared, and a contract's class reference is updated to point to it, allowing state-preserving upgrades.

The core concept shifts from delegatecall proxies to runtime-managed code replacement or reference switching.

conclusion

KEY TAKEAWAYS

Conclusion and Next Steps

Successfully managing upgrades on non-EVM runtimes requires a deep understanding of the underlying consensus model, governance framework, and execution environment. This guide has outlined the core principles and practical steps for Solana, Cosmos, and Polkadot.

The primary takeaway is that upgrade management is a governance-first process. Unlike EVM chains where a single smart contract can be upgraded, non-EVM runtimes often require coordinated action at the protocol level. This involves submitting and passing governance proposals, which may require staking tokens for voting. For example, a Cosmos SDK chain upgrade is enacted via a SoftwareUpgradeProposal that must be voted on by validators. Understanding your chain's specific governance module—be it Cosmos' x/gov, Polkadot's OpenGov, or Solana's decentralized process—is the first critical step.

Your technical preparation should focus on testing and simulation. Before broadcasting a mainnet proposal, you must rigorously test the upgrade in a controlled environment. For Substrate-based chains, use a local testnet with the try-runtime pallet to simulate the state migration. On Solana, deploy and test the new program on devnet or testnet, ensuring all existing accounts and data are compatible. For Cosmos chains, use the simd tool to run a simulation of the proposal to catch any panics or state corruption before real funds are at risk. This phase is non-negotiable for security.

Finally, monitoring and post-upgrade validation are essential. Once the upgrade proposal passes and the chain halts at the target height, validators must switch to the new binary. Use chain-specific tools to monitor the rollout: Polkadot's PolkadotJS telemetry, Cosmos' cosmovisor logs, or Solana's validator metrics. Immediately verify that the chain is producing blocks, that core functionalities (like staking, transfers, and queries) are operational, and that the new runtime version is active. Document any issues and have a rollback plan, such as a community-agreed emergency downgrade proposal, ready in case of critical failures.