Smart contract upgrades are a fundamental tool for protocol evolution, but they introduce the critical challenge of state preservation. Unlike redeploying a new contract, an upgrade must seamlessly migrate or retain the existing storage layout—including user balances, configuration variables, and contract relationships. A flawed strategy can lead to catastrophic data loss, frozen funds, or broken integrations. This guide focuses on the practical implementation of strategies to ensure a safe and deterministic transition of state during an upgrade event.
LABS
Guides
How to Implement a State Preservation Strategy During Upgrades
A technical guide for developers on ensuring user data and contract storage remain intact after a proxy logic upgrade. Covers storage collision risks, unstructured storage patterns, and testing for layout compatibility.
Chainscore © 2026
introduction
INTRODUCTION
How to Implement a State Preservation Strategy During Upgrades
A robust state preservation strategy is critical for maintaining contract integrity and user trust during on-chain upgrades. This guide outlines the core patterns and implementation details.
The cornerstone of state preservation is a predictable storage layout. In Solidity, state variables are stored in contract storage slots based on their declaration order. The most common and secure pattern is the Proxy Pattern, which uses a proxy contract that delegates logic calls to a separate implementation contract. The proxy holds all state, while the implementation holds the code. When you upgrade, you deploy a new implementation and point the proxy to it, leaving the state untouched. It's essential that the new implementation's storage variables are append-only; you cannot reorder, remove, or change the type of existing variables, as this will corrupt the stored data.
For more complex migrations that require transforming existing data, you must implement a migration function. This is often part of the initialization routine in the new implementation contract. For example, if you need to split a user's staked tokens into a new vault system, the upgrade function would read each user's balance from the old storage structure, perform the calculation, and write the new state. This function should be protected by access controls (e.g., only the owner can call it) and include safeguards to prevent re-execution. Always test migration scripts extensively on a forked mainnet environment before executing them live.
Beyond basic proxies, consider using established upgradeability standards like the Transparent Proxy Pattern or UUPS (EIP-1822). UUPS builds the upgrade logic directly into the implementation contract, making it more gas-efficient. However, it requires the developer to explicitly include and secure the upgrade function. Regardless of the pattern, you must use tools like OpenZeppelin's Upgrades Plugins for Hardhat or Foundry. These tools automatically check for storage layout incompatibilities, preventing deployments that would corrupt your contract's state, and manage the proxy administration securely.
A complete strategy also involves pre- and post-upgrade checks. Before the upgrade, create a comprehensive state snapshot using tools like Tenderly or a custom script. After upgrading, execute a series of verification calls to ensure: user balances are correct, core functions operate as expected, and all external integrations (like oracles or other contracts) still work. Document every step and have a verified rollback plan. By treating state as the most valuable asset and following these structured implementation practices, you can execute upgrades that enhance functionality without compromising security or user funds.
prerequisites
PREREQUISITES
How to Implement a State Preservation Strategy During Upgrades
This guide outlines the essential concepts and preparatory steps for designing a robust state preservation strategy for smart contract upgrades.
A state preservation strategy is a critical component of any upgradeable smart contract system. It ensures that the valuable data stored in your contract—user balances, configuration settings, and protocol state—remains intact and accessible after a logic upgrade. Without a deliberate strategy, a new implementation contract deployed via a proxy pattern will start with empty storage, effectively resetting your application. The core challenge is decoupling the contract's storage layout from its executable logic, allowing the latter to be replaced while the former persists.
The foundation of state preservation is understanding Ethereum's storage model. A contract's state is a key-value store where each 32-byte slot is indexed by a unique key derived from variable declarations. When using upgrade patterns like the Transparent Proxy or UUPS, the proxy contract holds the storage, and the implementation contract contains the logic that reads and writes to it. Therefore, any new implementation must maintain storage layout compatibility with its predecessor. Incompatible layouts, such as changing the order or types of state variables, will cause catastrophic data corruption.
To prepare for safe upgrades, you must first choose and implement a structured approach to storage management. The most common method is inheritance-based storage, where state variables are defined in base contracts that remain constant across upgrades. More advanced patterns include Eternal Storage, which uses generic bytes32 slots accessed via getters/setters, and Storage Libraries that separate logic from data structures. Tools like the OpenZeppelin Upgrades Plugins can automatically validate storage layout compatibility, but a deep conceptual understanding is required to use them effectively.
Your implementation must also account for initialization logic. Unlike a constructor, which runs only once on deployment, an upgradeable contract uses a separate initializer function to set up initial state. This function must be protected from re-execution, typically using an initializer modifier. Furthermore, if your upgrade introduces new state variables, you may need a migration function to populate them with derived or default values based on the existing preserved state, executed atomically as part of the upgrade process.
Finally, rigorous testing is non-negotiable. Before deploying any upgrade, you should run a full test suite in a forked environment against the new implementation contract, verifying that all state reads and writes function correctly with the legacy storage. Simulate the upgrade process end-to-end, testing the migration of live data. This process helps identify subtle bugs in storage access patterns that could lead to permanent loss of funds or protocol failure, making it the most crucial prerequisite for a successful upgrade.
key-concepts-text
KEY CONCEPTS: STORAGE COLLISIONS AND PROXIES
State Preservation Strategies During Smart Contract Upgrades
Learn how to safely upgrade smart contracts without losing critical data by understanding storage collisions and implementing proxy patterns.
When upgrading a smart contract, the most critical risk is a storage collision. This occurs when the new contract's variable layout in storage does not perfectly match the old one. Ethereum's storage is a key-value store where each 32-byte slot is accessed by an index. If you deploy a new logic contract (V2) where variable owner moves from slot 0 to slot 1, but the proxy's storage still holds the owner value at slot 0, V2 will read incorrect data, potentially causing catastrophic failures. This is why direct upgrades of immutable contracts are impossible; you must use a proxy pattern to separate logic from data storage.
The most common solution is the Transparent Proxy Pattern, used by OpenZeppelin's TransparentUpgradeableProxy. This pattern uses three contracts: a Proxy, a Logic Implementation, and a ProxyAdmin. The Proxy contract holds all state variables in its own storage. When a user calls the Proxy, it delegates the call to the current Logic Implementation contract using delegatecall. The key is that delegatecall executes the logic from the implementation contract within the context of the proxy's storage. This means you can deploy a new V2 logic contract and update the Proxy's pointer to it, while all user data remains safely stored in the Proxy's original storage slots.
To prevent storage collisions between upgrades, you must adhere to inheritance storage alignment. When writing your initial implementation, you must declare all state variables that will ever be used, or reserve storage gaps for future use. For example, in an upgradeable ERC-20, you would inherit from OpenZeppelin's ERC20Upgradeable and declare your variables in a specific order. You cannot change the order of inherited contract variables or insert new variables between existing ones in subsequent versions. New variables must always be appended. Failing to follow this rule will shift all subsequent variable slots, causing collisions.
A more advanced pattern is the UUPS (EIP-1822) Proxy, where the upgrade logic is built into the implementation contract itself, not the proxy. This makes the proxy cheaper to deploy. However, it places the responsibility on the developer to include and properly secure the upgradeTo function in the logic contract. Whether using Transparent or UUPS proxies, the upgrade process is a two-step transaction: first deploying the new logic contract, then calling the admin function (upgrade or upgradeTo) to point the proxy to the new address. Tools like Hardhat Upgrades and Foundry can automate this process and perform critical storage layout checks.
Before any upgrade, you must run a storage layout diff to verify compatibility. Tools like @openzeppelin/upgrades-core can compare the storage layouts of the old and new implementations. The check will fail if you modify or remove an existing variable type, or insert a new variable in the middle of the layout. A successful upgrade strategy also requires rigorous testing: deploy a proxy with V1, populate it with mock data, perform the upgrade to V2, and verify that all state is preserved and new functions work correctly. Always use a testnet or local fork before executing an upgrade on mainnet.
storage-strategies
UPGRADE PATTERNS
State Preservation Strategies
Maintaining contract state and user data integrity is critical during smart contract upgrades. These strategies ensure continuity and security.
04
Data Migration Strategies
For changes that require transforming existing state, a migration must be executed.
- In-Place Migration: A one-time function in the new implementation that rewrites storage values. Requires careful access control and gas planning.
- V2 Relaunch with Bridging: Deploy a new, separate contract system and allow users to bridge their old tokens or positions to the new one. This is common for complete overhauls but introduces user friction.
- Always design upgrades to be state-compatible to avoid costly migrations.
unstructured-storage-implementation
UPGRADE STRATEGY
Implementing Unstructured Storage
A guide to preserving smart contract state during upgrades using the unstructured storage proxy pattern, a core technique for upgradeable contracts.
The unstructured storage pattern is a proxy-based upgrade strategy that stores a contract's implementation address in a pseudo-random storage slot. Unlike the transparent proxy pattern, which uses a dedicated storage variable, this method reduces the risk of storage collisions between the proxy and implementation. The key is calculating a storage slot that is highly unlikely to be used by the implementation logic itself, typically via bytes32(uint256(keccak256('eip1967.proxy.implementation')) - 1). This slot stores the address of the current logic contract.
To implement this, you need three core contracts: a Proxy, a Logic contract, and often a ProxyAdmin. The Proxy's fallback function uses delegatecall to forward all transactions to the logic contract address stored in the predetermined slot. The state resides in the Proxy's storage context, while the logic is executed from the separate implementation contract. Upgrading involves a privileged function (usually in a ProxyAdmin) that writes a new logic contract address to that same storage slot, instantly changing the contract's behavior while preserving all existing data.
A critical advantage is storage isolation. Since the implementation address is stored in a specific, hashed slot, the logic contract's own variables are less likely to overwrite it. This is safer than the inherited storage pattern. However, you must still carefully manage the storage layout in your logic contracts. Adding, removing, or reordering state variables in a new implementation can corrupt the proxy's stored data. Tools like OpenZeppelin's StorageSlot library help manage these slots safely.
Here is a simplified proxy core using unstructured storage:
soliditycontract UUPSProxy { bytes32 private constant _IMPLEMENTATION_SLOT = 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc; constructor(address implementation) { _setImplementation(implementation); } function _setImplementation(address newImplementation) private { StorageSlot.getAddressSlot(_IMPLEMENTATION_SLOT).value = newImplementation; } fallback() external payable { address impl = StorageSlot.getAddressSlot(_IMPLEMENTATION_SLOT).value; assembly { calldatacopy(0, 0, calldatasize()) let result := delegatecall(gas(), impl, 0, calldatasize(), 0, 0) returndatacopy(0, 0, returndatasize()) switch result case 0 { revert(0, returndatasize()) } default { return(0, returndatasize()) } } } }
For production use, adopt audited libraries like OpenZeppelin Contracts. Their UUPSUpgradeable abstract contract provides a secure, standardized template. The upgrade function (upgradeTo) is part of the logic contract itself, which must include authorization checks. This pattern, known as UUPS (EIP-1822), gas-optimizes proxies by embedding upgrade logic in the implementation. Always initialize upgradeable contracts using an initializer function instead of a constructor, and employ tools like the OpenZeppelin Upgrades Plugins to automate deployment and validate storage compatibility between versions.
STRATEGY OVERVIEW
Storage Strategy Comparison
A comparison of common approaches for preserving smart contract state during upgrades.
| Feature | Storage Proxy | Diamond Pattern | Data Contract |
|---|---|---|---|
State Preservation | |||
Upgrade Gas Cost | $50-150 | $200-500 | $20-50 |
Implementation Complexity | Low | High | Medium |
Storage Overhead | None | ~10-20% | Minimal |
Delegatecall Support | |||
Storage Collision Risk | High | None | Low |
Popular Examples | OpenZeppelin | EIP-2535 | MakerDAO |
Best For | Simple logic upgrades | Modular systems | Shared data models |
testing-storage-compatibility
UPGRADE STRATEGY
Testing Storage Layout Compatibility
A guide to verifying and preserving smart contract state during upgrades using storage layout checks.
When upgrading a smart contract, preserving the existing state is non-negotiable. The Ethereum Virtual Machine (EVM) stores data in persistent storage slots based on the order and type of variables declared in your contract. An incompatible storage layout—such as changing a variable's type, reordering state variables, or inserting a new variable between existing ones—can lead to catastrophic data corruption. The new contract will read from the wrong slot, interpreting old data as a different type, which often results in a permanently broken contract. This makes systematic testing before deployment critical.
The primary tool for this is slither-check-upgradeability, part of the Slither static analysis framework. After installing Slither (pip install slither-analyzer), you can run it against your new contract version, specifying the original proxy contract. The command slither-check-upgradeability contractV1.sol:ContractName contractV2.sol:ContractName will analyze both versions. It performs several critical checks: verifying that the inheritance order is unchanged, confirming no variable type changes (e.g., uint256 to uint128), and ensuring no new variables are inserted into the middle of the existing layout.
For a more granular, programmatic approach, you can use OpenZeppelin's Upgrades plugins with Hardhat or Foundry. These tools include a validateUpgrade function that compares storage layouts and throws an error if an incompatibility is detected. For example, in a Hardhat script, you would call await upgrades.validateUpgrade(previousImplAddress, newImplFactory). This validation is the same check performed during an actual upgrade via upgrades.upgradeProxy, providing a safety net to run in your CI/CD pipeline before any mainnet deployment.
Beyond automated tools, understanding the layout manually is valuable. You can inspect it using solc --storage-layout. This outputs a JSON mapping of each state variable to its assigned slot and offset. When planning an upgrade, you must only append new variables to the end of the contract. If you need to modify a data structure, consider migrating to a new, separate contract or using an Eternal Storage pattern where data is kept in a dedicated library using explicit slot assignments, decoupling the data schema from the business logic.
A robust testing strategy integrates these checks into your development workflow. Write unit tests that deploy version A, populate its state, upgrade to version B, and then assert that all historical data is accessible and correct. Use a forked mainnet environment in Foundry or Hardhat to simulate the upgrade on real data. The final, essential step is to run the upgrade on a testnet first, verifying all state reads correctly. This layered approach—static analysis, programmatic validation, manual review, and live testnet deployment—is the best practice for ensuring a safe, state-preserving upgrade.
STATE PRESERVATION
Common Mistakes and Pitfalls
Upgrading smart contracts without losing critical data is a complex challenge. This section addresses frequent developer errors and provides solutions for robust state management during migrations.
Data loss typically occurs when the new contract's storage layout is incompatible with the old one. The Ethereum Virtual Machine (EVM) accesses storage via fixed slot positions. If you add, remove, or reorder state variables between upgrades, the new logic will read from the wrong slots.
Common causes:
- Adding new variables in the middle of existing ones.
- Changing variable types (e.g.,
uint256touint128). - Using inheritance that alters the storage layout calculation.
Solution: Always append new state variables after existing ones and use tools like slither or hardhat-storage-layout to verify compatibility.
resource-links
UPGRADE SAFETY
Tools and Resources
These tools and references help developers preserve contract state during upgrades by enforcing storage compatibility, validating migrations, and reducing the risk of corrupted data.
STATE PRESERVATION
Frequently Asked Questions
Common questions and solutions for preserving smart contract state during upgrades, addressing developer challenges with proxy patterns and storage management.
State preservation is the process of maintaining a smart contract's stored data (like user balances, configuration variables, and mappings) when its logic is upgraded. It's crucial because Ethereum's smart contracts are immutable by default; deploying a new contract creates a fresh, empty storage layout, losing all previous data.
Proxy patterns solve this by separating logic from storage. A permanent proxy contract holds the state and user funds, while delegating function calls to a changeable logic contract. When you upgrade, you deploy new logic and update the proxy's pointer, preserving the existing storage. Without this, upgrades would require complex and risky migration processes, often leading to user fund loss.
conclusion
IMPLEMENTATION SUMMARY
Conclusion and Next Steps
A successful state preservation strategy is a non-negotiable component of secure and reliable smart contract upgrades. This guide has outlined the core principles and patterns.
To implement a robust state preservation strategy, you must first architect for upgradeability from the start. This means using a proxy pattern like the Transparent Proxy or UUPS (EIP-1822) and strictly separating logic from data storage. Your storage layout must be defined in a base contract that inherits from a library like OpenZeppelin's Initializable and is never modified in subsequent logic versions. Any new variables must always be appended to the end of the existing storage structure to prevent catastrophic storage collisions.
For your next steps, begin by auditing your current contract's state variables. Map each variable to its explicit storage slot using tools like solc --storage-layout. Then, write and test your upgrade migration scripts. A common practice is to create a Migration.sol contract that executes within the context of the new logic contract via a delegatecall, carefully reading the old state and writing to new, appended storage slots. Always run these scripts on a forked testnet (using Foundry or Hardhat) before mainnet deployment to simulate the exact state conditions.
Finally, integrate state preservation into your broader DevOps and governance workflow. Your upgrade process should include: a full storage layout diff between versions, on-chain execution of any necessary state migrations, and comprehensive post-upgrade testing that verifies both new functionality and the integrity of all persisted data. Remember, the goal is not just to upgrade, but to do so without a single user noticing their balances, permissions, or historical data have been affected. For continued learning, review real-world examples in the OpenZeppelin Upgrades Plugins documentation and the UUPS EIP-1822 standard.