Designing for upgradeability starts with a core architectural principle: separation of logic and data. Instead of a single, monolithic contract, you split your system into at least two components. The logic contract contains the executable code and business rules, while the storage contract holds the persistent state variables. This pattern, often implemented via a proxy, allows you to deploy a new logic contract while preserving the existing data layer. The most common standard for this is the ERC-1967 proxy, which defines a structured storage slot for the logic contract address.
LABS
Guides
How to Design Upgrade-Ready Architectures
A technical guide to implementing upgradeable smart contract systems using patterns like Proxies and Diamonds, with code examples and security considerations.
Chainscore © 2026
introduction
ARCHITECTURE PATTERNS
How to Design Upgrade-Ready Architectures
A guide to designing smart contracts with upgradeability in mind, focusing on separation of concerns and data preservation.
The key to a safe upgrade is preserving storage layout. When you deploy a new version of your logic contract, you must ensure new variables are appended to the end of the existing storage structure. Reordering, deleting, or changing the type of existing variables will corrupt your application's state. Tools like OpenZeppelin Upgrades Plugins help enforce these rules. For example, when using @openzeppelin/upgrades, the validateUpgrade function checks for storage layout incompatibilities before deployment, preventing catastrophic data loss.
Beyond basic proxies, more advanced patterns exist for complex systems. The Diamond Pattern (EIP-2535) enables a modular approach where a single proxy contract can route function calls to multiple, discrete logic contracts called facets. This is useful for very large dApps where you might want to upgrade specific modules independently. Another pattern is the Data Separation approach, where the storage contract exposes only simple getter and setter functions, making the logic contract entirely stateless and thus trivial to replace.
Upgradeability introduces unique security considerations. You must implement robust access controls for the upgrade function, typically using a multi-signature wallet or a decentralized governance contract like OpenZeppelin's Governor. A common pitfall is leaving the proxy admin role unprotected. Furthermore, you should design with transparency in mind: make upgrade events and proposals visible to users. Always test upgrades thoroughly on a testnet, using scripts that simulate the state migration process.
To implement a basic upgradeable contract, you would use libraries like OpenZeppelin Contracts. First, you write your initial logic contract, inheriting from UUPSUpgradeable or TransparentUpgradeableProxy's initializer pattern. Your storage variables are defined here. You then deploy a proxy contract that points to this logic. When upgrading, you deploy a new logic contract and call upgradeTo(address newImplementation) on the proxy. The proxy's fallback function will delegate all future calls to the new address, while the stored data remains intact.
prerequisites
PREREQUISITES
How to Design Upgrade-Ready Architectures
Building smart contracts that can evolve is a core requirement for sustainable Web3 applications. This guide covers the architectural patterns that enable secure and permissionless upgrades.
Upgradeability in blockchain development is not about patching bugs after deployment, but about designing for controlled evolution. A contract's logic and its data storage must be separated to allow the logic to be replaced while preserving the state. The most common pattern for this is the Proxy Pattern, where a lightweight proxy contract delegates all function calls to a separate logic contract. Users interact with the proxy, which holds the data, while the upgradeable logic lives elsewhere. This separation is the foundation for all upgradeable systems.
Understanding storage layout is critical. When a new logic contract is attached to a proxy, it must read from and write to the same storage slots as the previous version. Storage collisions, where variables are rearranged, will corrupt data. To prevent this, use inheritance from OpenZeppelin's upgradeable contracts or explicitly define storage slots. Never change the order of existing variables; only append new ones. Tools like the OpenZeppelin Upgrades Plugins automate these checks and manage deployment security.
You must also manage initialization. Constructors are not used in proxy-based systems because the proxy's constructor runs only once. Instead, you use an initialize function, which acts as a post-deployment constructor. It is crucial to protect this function from being called more than once, typically using an initializer modifier. Failing to do so is a critical security flaw that can allow an attacker to re-initialize the contract and take ownership.
Consider the governance of upgrades. Who can perform an upgrade? A common approach is a multi-signature wallet controlled by project stewards or a DAO vote via a governance token. The upgrade mechanism itself, such as changing the proxy's logic address, should be behind a timelock. A timelock contract introduces a mandatory delay between a proposal and its execution, giving users time to react if a malicious upgrade is proposed.
Finally, design with transparency and user trust in mind. Use EIP-1967 standard storage slots for the logic address so it can be easily verified by explorers. Clearly communicate upgrade processes to your community. Remember, an upgradeable contract is only as trustworthy as the governance that controls it. The goal is to build systems that can adapt without compromising the immutability and security guarantees users expect.
key-concepts-text
CORE CONCEPTS FOR UPGRADABILITY
How to Design Upgrade-Ready Architectures
A guide to the foundational design patterns that enable smart contract systems to evolve securely and efficiently without sacrificing decentralization.
An upgrade-ready architecture separates a system's logic from its state. The most common pattern uses a proxy contract that delegates all function calls to a separate logic contract. The proxy holds the persistent state (like user balances or ownership data), while the logic contract contains the executable code. When an upgrade is needed, you deploy a new logic contract and update the proxy's reference to point to it. This allows the system's behavior to change while preserving all existing data and contract addresses. The EIP-1967 standard formalizes storage slots for this proxy pattern.
The Transparent Proxy and UUPS (EIP-1822) are the two dominant upgrade patterns. A Transparent Proxy uses an admin address to manage upgrades, preventing function selector clashes between the proxy and logic contract. UUPS (Universal Upgradeable Proxy Standard) bakes the upgrade logic directly into the implementation contract itself, making it more gas-efficient. The choice depends on your priorities: Transparent Proxies offer a clear separation of concerns, while UUPS proxies reduce gas costs for users by eliminating the proxy's overhead for non-admin calls.
Managing storage layout is critical for safe upgrades. You cannot change the order, type, or remove existing state variables in a new implementation, as this would corrupt the stored data. New variables must always be appended. Using structured storage—like inheriting from OpenZeppelin's StorageSlot library or employing unstructured storage with keccak256 slots—provides more flexibility. Tools like the OpenZeppelin Upgrades Plugins automatically validate storage compatibility to prevent dangerous migrations.
A robust upgrade process requires access controls and timelocks. Upgrade authority should never be held by a single private key. Use a multisig wallet or, better yet, a decentralized autonomous organization (DAO) governed by token holders. Implementing a timelock between proposing and executing an upgrade gives users time to review changes or exit the system. This combination transforms a powerful administrative function into a transparent, community-aligned process, which is essential for maintaining trust in upgradeable DeFi protocols or NFT projects.
Finally, design with upgrade granularity in mind. Not every bug fix requires a full system migration. Consider a modular architecture using the Diamond Pattern (EIP-2535), which allows a single proxy to delegate to multiple logic contracts (facets). This lets you upgrade specific features independently, such as swapping out a staking module without touching the token transfer logic. While more complex, this pattern is used by protocols like Aave V3 to achieve unparalleled flexibility and reduce the scope and risk of any single upgrade.
upgrade-patterns
SMART CONTRACT ARCHITECTURE
Common Upgrade Patterns
Designing for future-proof smart contracts requires deliberate architectural patterns. These approaches separate logic from data, manage access control, and enable seamless, secure upgrades.
ARCHITECTURAL PATTERNS
Upgrade Pattern Comparison
A comparison of common smart contract upgrade patterns, detailing their trade-offs in security, complexity, and decentralization.
| Feature | Transparent Proxy | UUPS (EIP-1822) | Diamond Standard (EIP-2535) |
|---|---|---|---|
Implementation Logic Location | Proxy Contract | Implementation Contract | Facet Contracts |
Admin Upgrade Function | |||
Storage Collision Risk | High (manual slots) | High (manual slots) | Low (structured) |
Implementation Contract Size Limit | 24KB | No limit | No limit |
Gas Cost for Upgrade | $50-100 | $30-70 | $100-500+ |
Upgrade Authorization | Single admin/multisig | Implementation logic | Diamond owner/facet |
Inherent Security Risk | Medium | High (selfdestruct) | Medium-High |
Time to Deploy Full System | < 5 min | < 3 min | 15-30 min |
transparent-proxy-walkthrough
UPGRADE PATTERNS
Implementing a Transparent Proxy
A guide to using the Transparent Proxy pattern for creating secure, upgradeable smart contracts on Ethereum and EVM-compatible chains.
The Transparent Proxy pattern is a widely adopted standard for building upgradeable smart contracts, central to protocols like OpenZeppelin's upgradeable contracts framework. It solves a critical problem: how to change a contract's logic while preserving its state and address. The architecture uses three key components: a Proxy Contract that holds all storage and delegates calls, a Logic Contract containing the executable code, and an Admin Contract (or admin address) authorized to perform upgrades. This separation allows developers to deploy a new version of the logic contract and point the proxy to it, enabling seamless upgrades without disrupting user interactions or migrating assets.
Security is a primary concern in upgradeable designs. The Transparent Proxy pattern mitigates a specific risk called a function selector clash. If both the proxy admin and a user call the same function signature (like upgradeTo()), a malicious actor could exploit this to trigger admin actions. The pattern prevents this by routing calls based on the caller's address. If the caller is the admin, it can access the proxy's upgrade functions. For all other callers, calls are delegated directly to the logic contract, making the proxy 'transparent' to regular users. This design is formalized in the EIP-1967 standard, which defines specific storage slots for the logic and admin addresses to prevent collisions.
Implementing a Transparent Proxy is straightforward using established libraries. With OpenZeppelin Contracts, you can deploy an upgradeable contract using their Upgrades Plugins for Hardhat or Foundry. A basic deployment script initializes a proxy that points to your first logic contract version. Here's a conceptual outline:
javascriptconst MyContractV1 = await ethers.getContractFactory("MyContractV1"); const instance = await upgrades.deployProxy(MyContractV1, [constructorArgs], {initializer: 'initialize'});
The deployProxy function deploys your logic contract, a ProxyAdmin, and a TransparentUpgradeableProxy, linking them together. The initialize function acts as a replacement for the constructor, setting up the initial state.
Upgrading the contract follows a controlled process. After developing and auditing MyContractV2, you deploy the new logic and schedule the upgrade. The upgrade process changes the proxy's stored logic address but leaves all existing storage variables intact. It's crucial that new logic contracts maintain storage compatibility; you cannot change the order, type, or remove existing state variables. You can only append new variables. Failing to do so will corrupt the contract's data. The upgrade is executed via the ProxyAdmin:
javascriptconst MyContractV2 = await ethers.getContractFactory("MyContractV2"); await upgrades.upgradeProxy(instance.address, MyContractV2);
After this call, all future interactions with the proxy address will use the new V2 logic.
While powerful, the pattern requires careful governance. The admin address holds supreme power and must be secured, often using a multisig wallet or DAO governance contract. Consider timelocks for upgrades to allow users to react to changes. Always use testing and staging environments to verify upgrades before mainnet deployment. For developers, resources like the OpenZeppelin Upgrades Documentation provide detailed guides and best practices. By implementing a Transparent Proxy, you build a foundation for long-term protocol evolution while maintaining the security and trust of your users.
diamond-standard-implementation
GUIDE
Building with the Diamond Standard (EIP-2535)
A practical guide to designing modular, upgradeable smart contract systems using the Diamond Standard (EIP-2535).
The Diamond Standard (EIP-2535) is a smart contract design pattern that solves the contract size limit and upgradeability fragmentation problems. Instead of a single, monolithic contract, a Diamond is a proxy contract that delegates function calls to a set of independent, modular contracts called facets. This architecture allows developers to build complex systems that can be upgraded, extended, and maintained without redeploying the entire codebase or managing multiple proxy addresses. It's the foundation for many advanced DeFi protocols and NFT platforms.
At its core, a Diamond has three key components: the Diamond proxy, facets, and the DiamondLoupe. The proxy is the main user-facing contract that holds the state and uses a mapping to route function selectors to facet addresses. Each facet is a standalone contract that implements a specific set of related functions, like ERC20Facet or StakingFacet. The DiamondLoupe is a standard facet that provides view functions to inspect which facets and functions are currently available in the Diamond, ensuring transparency.
To design an upgrade-ready architecture, you must first decompose your system's logic into discrete, cohesive modules. For example, a lending protocol might have separate facets for core vault logic, interest rate models, liquidations, and governance. This separation allows you to upgrade the liquidation mechanism without touching the core vault code. Use the LibDiamond library to manage the central diamondCut function, which is used to add, replace, or remove functions from the Diamond by updating the facet address for their selectors.
A critical design consideration is storage management. Facets cannot have their own persistent variables; they must read and write to a shared, structured storage layout defined in a library (like AppStorage). This prevents storage collisions between facets. Always define your storage structure upfront and use a unique namespace for your struct to avoid conflicts with future facets or external libraries. This approach ensures state persistence across upgrades.
Here is a basic example of a diamondCut to add a new function from a GreeterFacet:
solidity// The `diamondCut` takes FacetCut[] memory _diamondCut, address _init, bytes memory _calldata IDiamondCut.FacetCut[] memory cut = new IDiamondCut.FacetCut[](1); bytes4[] memory selectors = new bytes4[](1); selectors[0] = GreeterFacet.sayHello.selector; cut[0] = IDiamondCut.FacetCut({ facetAddress: address(new GreeterFacet()), action: IDiamondCut.FacetCutAction.Add, functionSelectors: selectors }); IDiamondCut(address(diamond)).diamondCut(cut, address(0), "");
This transaction adds the sayHello function to the Diamond's external interface.
When implementing a Diamond, security is paramount. Use a robust access control pattern (like OpenZeppelin's) in a dedicated facet to manage who can perform diamondCut operations. Thoroughly test facet interactions and storage access. For tooling, use the official Diamond Standard reference implementation and consider frameworks like SolidState Solidity which provide Diamond-compatible base contracts. This pattern enables truly modular and future-proof smart contract systems.
security-considerations
UPGRADEABLE CONTRACTS
Critical Security Considerations
Smart contract upgrades are essential for long-term protocol health but introduce significant security complexity. These guides cover the core architectural patterns and risks.
06
Audit Considerations for Upgrades
When auditing an upgradeable system, focus extends beyond the core logic. Key areas for auditors include:
- Proxy admin privileges: Who can upgrade? Is it timelocked?
- Initialization integrity: Can it be re-initialized or front-run?
- Storage compatibility: Are the V1 and V2 storage layouts fully compatible?
- Logic removal risks: For UUPS, does the new implementation still contain upgrade functions?
- Delegatecall implications: Ensuring the proxy's use of delegatecall does not expose unexpected context. Always request a dedicated "upgradeability review" from your audit firm.
~40%
of high-severity audit findings relate to upgrade mechanisms
UPGRADEABLE SMART CONTRACTS
Frequently Asked Questions
Common questions and solutions for designing smart contract systems that can be safely upgraded without disrupting users or losing data.
The Transparent Proxy pattern uses a dedicated ProxyAdmin contract to manage upgrades. The upgrade logic and admin rights are separate from the implementation contract. This pattern is simpler and more secure for beginners but costs more gas for every user call due to extra storage checks.
The UUPS (Universal Upgradeable Proxy Standard) pattern bakes the upgrade logic directly into the implementation contract itself. This is more gas-efficient for users but requires developers to ensure the upgrade function is preserved and secured in every new implementation version. Forgetting to include it can permanently lock the contract.
Key Takeaway: Use Transparent for simplicity and security, UUPS for gas optimization and advanced control.
resource-links
GUIDE BUILDING BLOCKS
Tools and Resources
These tools, standards, and frameworks help teams design contracts and systems that can evolve safely over time without breaking state, integrations, or user trust.
04
Storage Layout Analysis and Slot Planning
Storage layout tooling is critical for upgrade-ready design. Solidity assigns storage slots sequentially, and reordering variables can permanently corrupt state.
Best practices:
- Append new variables only, never reorder or delete
- Reserve space using storage gaps (
uint256[50] private __gap) - Snapshot storage layouts after every deployment
Tooling options:
- Hardhat and Foundry storage layout exports
- Manual slot math for packed structs and mappings
Advanced teams maintain a storage layout registry as part of protocol documentation. This allows auditors and future contributors to reason about state safety years after initial deployment.
05
Timelocks and Upgrade Governance
Upgrade-ready systems require clear, enforceable governance around who can upgrade and how quickly changes take effect.
Common components:
- Timelock controllers delaying upgrades by 24–72 hours
- On-chain multisig or DAO-controlled upgrade authority
- Publicly visible upgrade queues for monitoring
Implementation guidance:
- Separate upgrade authority from operational roles
- Require timelock execution even for emergency upgrades
- Emit explicit events for proposed and executed upgrades
Protocols like Uniswap and MakerDAO use timelocks to balance upgrade flexibility with user protection, making governance constraints a core part of system architecture.
conclusion
ARCHITECTURE PRINCIPLES
Conclusion and Next Steps
This guide has outlined the core principles for building smart contract systems that can evolve securely and efficiently over time.
Designing an upgrade-ready architecture is not about planning for every possible change, but about establishing a resilient framework that minimizes risk and technical debt. The key takeaways are: using a transparent proxy pattern like the ERC-1967 standard, separating logic from data storage, implementing robust access control, and rigorously testing upgrade simulations. These practices ensure your system remains secure, maintainable, and adaptable to new requirements without sacrificing user trust or requiring complex, high-risk migrations.
Your next steps should focus on implementation and governance. First, integrate a battle-tested library like OpenZeppelin's Upgradeable Contracts to handle the low-level proxy mechanics securely. Second, formalize your upgrade process. This includes creating a multi-signature TimelockController for executing upgrades, establishing a clear testing and staging pipeline on testnets, and drafting transparent communication plans for users. Tools like Hardhat Upgrades or Foundry scripts can automate deployment and verification, reducing human error.
Finally, consider the long-term evolution of your system. Explore patterns like the Diamond Standard (EIP-2535) for modular, gas-efficient upgrades if you anticipate frequent logic changes. Stay informed about new developments in the space, such as ERC-6900 for modular smart contract accounts, which may influence future architecture decisions. Continuous learning and community engagement through forums like the Ethereum Magicians or OpenZeppelin Forum are essential for maintaining a forward-looking, secure development practice.