An upgradeable proxy is a smart contract design pattern that uses a proxy contract to delegate all function calls to a separate implementation contract (or logic contract) while storing all state variables itself. This separation of logic and storage allows developers to deploy a new implementation contract and point the proxy to it, effectively upgrading the contract's functionality. The proxy's address, which users and other contracts interact with, remains constant, preserving the protocol's on-chain state and external integrations. This pattern is critical for long-term project maintenance and bug fixes in immutable blockchain environments.
LABS
Glossary
Upgradeable Proxy
An upgradeable proxy is a smart contract architecture where a proxy contract delegates logic calls to a separate implementation contract, allowing the logic to be upgraded without changing the proxy's address or stored state.
Chainscore © 2026
definition
SMART CONTRACT ARCHITECTURE
What is an Upgradeable Proxy?
An upgradeable proxy is a foundational design pattern in smart contract development that separates a contract's logic from its storage, enabling the deployed code to be updated without losing its state or address.
The core mechanism enabling this is the delegatecall opcode. When a user calls a function on the proxy, it uses delegatecall to execute the code from the current implementation contract in the context of the proxy's own storage. This means the logic contract's code runs as if it were part of the proxy, allowing it to read and write the proxy's stored data. Common proxy patterns include the transparent proxy (which routes calls based on the caller's address) and the UUPS (EIP-1822) pattern (where upgrade logic is built into the implementation contract itself).
Managing upgrades requires a secure proxy admin or ownership mechanism to authorize changes. A significant security consideration is storage collision, where changes in the new implementation's variable layout corrupt the proxy's existing storage. Standards like EIP-1967 define specific storage slots for the implementation address and admin to prevent these collisions. Despite its benefits, upgradeability introduces centralization and trust risks, as the entity controlling the upgrade key can alter the contract's behavior. Projects often use timelocks and multi-signature wallets to mitigate these risks and provide transparency for users.
Prominent frameworks like OpenZeppelin Contracts provide extensively audited libraries for implementing upgradeable proxies, abstracting away much of the complexity. Real-world examples include major DeFi protocols like Uniswap and Aave, which have used upgradeable proxies to introduce new features and optimizations over time. When auditing or interacting with upgradeable contracts, it is essential to verify not just the current implementation but also the governance controls around the upgrade mechanism, as this defines the system's future security and behavior.
key-features
UPGRADEABLE PROXY
Key Features
An upgradeable proxy is a smart contract design pattern that separates a contract's logic from its storage, enabling the deployed logic to be updated without losing data or changing the contract's address.
01
Proxy Contract
The permanent, user-facing contract that holds the state (storage) and forwards all calls via delegatecall to the current logic implementation. Users interact directly with this address, which never changes.
02
Logic/Implementation Contract
Contains the executable business logic and function definitions. This contract is deployed separately and can be replaced. It operates on the storage context of the Proxy contract when called.
03
Delegatecall
The low-level EVM opcode that enables the upgrade pattern. When the Proxy calls the Logic contract via delegatecall, the code from the Logic contract executes in the context of the Proxy's storage, msg.sender, and msg.value.
04
Proxy Admin / Storage Slot
The mechanism for managing upgrades. Common patterns include:
- Transparent Proxy: Uses an Admin contract to manage upgrades, preventing admin address from accidentally calling logic via the proxy.
- UUPS (EIP-1822): Upgrade authorization logic is built into the implementation contract itself, making it more gas-efficient.
05
Storage Collisions
A critical risk where the memory layout of the Proxy and Implementation contracts conflict. Standard patterns (like EIP-1967) define specific, pseudo-random storage slots for the implementation address to prevent accidental overwrites of critical variables.
06
Initialization Function
Because constructors don't work with proxies, an initializer function (often protected with initializer or reinitializer modifiers) is used to set up the initial state of the contract after deployment, mimicking a constructor.
how-it-works
ARCHITECTURE
How an Upgradeable Proxy Works
A technical breakdown of the proxy pattern, a foundational smart contract design that separates a contract's storage and logic to enable seamless upgrades on-chain.
An upgradeable proxy is a smart contract architecture that separates a contract's storage (state) from its logic (implementation), enabling the deployed logic to be updated without migrating assets or data. The core system consists of two contracts: a Proxy Contract that holds all state variables and user funds, and a separate Implementation Contract (or Logic Contract) that contains the executable code. All user interactions are directed to the proxy, which uses a low-level delegatecall to execute the code from the current implementation contract, while preserving the proxy's own storage context.
The upgrade mechanism is controlled by a Proxy Admin, which can be a multi-signature wallet or a governance contract. To perform an upgrade, the admin deploys a new version of the implementation contract and then calls a function on the proxy (e.g., upgradeTo(address)) to update its stored reference to the new logic address. Crucially, this change is atomic and immediate; all subsequent calls to the proxy automatically use the new code. This pattern solves the inherent immutability of blockchains by providing a controlled path for bug fixes, feature additions, and standard compliance (like ERC-165) post-deployment.
Several standard implementations exist to manage upgrade safety and storage collisions. Transparent Proxy patterns (like OpenZeppelin's) route calls based on the caller's address to prevent selector clashes between the proxy's admin functions and the implementation's interface. UUPS (Universal Upgradeable Proxy Standard) proxies move the upgrade logic into the implementation contract itself, making them more gas-efficient but requiring each new implementation to contain the upgrade function. A critical consideration is storage layout preservation; new implementations must append variables or use unstructured storage patterns to avoid corrupting existing data when the storage slots referenced by delegatecall are altered.
While powerful, the pattern introduces centralization and security risks. The admin key becomes a central point of failure; if compromised, an attacker can upgrade the proxy to malicious logic. Furthermore, developers must rigorously test new implementations for storage compatibility and initialize functions correctly to prevent reinitialization attacks. Best practices involve using audited, standard libraries (e.g., OpenZeppelin Contracts), implementing timelocks on upgrade functions, and eventually moving admin control to a decentralized governance system to achieve a trust-minimized upgrade path for the protocol.
visual-explainer
UPGRADEABLE SMART CONTRACTS
Visual Explainer: The Proxy Pattern Flow
A step-by-step breakdown of how the proxy pattern enables smart contract logic to be updated while preserving state and contract address.
The proxy pattern is a foundational architectural design in blockchain development that separates a contract's storage and logic into two distinct components: a Proxy Contract and one or more Implementation Contracts (also called Logic Contracts). This separation is the core mechanism that enables upgradeability, allowing developers to deploy new logic without migrating user data or changing the contract's on-chain address that users and other contracts interact with.
The flow begins when a user sends a transaction to the proxy's address. The proxy contract, which holds all the persistent storage (like user balances and variables), does not execute the logic itself. Instead, it uses the low-level delegatecall opcode to forward, or delegate, the call to the current implementation contract. Delegatecall executes the code of the implementation contract within the context of the proxy's storage, meaning any state changes are written to the proxy, not the implementation.
A critical component managing this flow is the Proxy Admin or a built-in upgrade mechanism. This component stores the address of the current implementation contract. When an upgrade is authorized, this address is updated to point to a new, audited implementation contract. From that point forward, all new delegatecalls from the proxy will execute the new logic, seamlessly upgrading the system's functionality for all users without any action on their part.
This pattern introduces important considerations. Storage collisions must be avoided by carefully structuring storage layouts in sequential implementations. Furthermore, the proxy itself becomes a central point of failure and control, making secure access management to the upgrade function paramount. Patterns like Transparent Proxies and UUPS (EIP-1822) Proxies have emerged to formalize and secure these admin rights and delegatecall mechanisms.
In practice, a user's interaction with a dApp using a proxy is indistinguishable from a regular contract. They sign transactions for the proxy address (e.g., to deposit tokens). Behind the scenes, the proxy delegates the call, the new logic validates and processes it, and the resulting state change is committed to the proxy's storage. This elegant abstraction is why major DeFi protocols and NFT projects rely on proxies for long-term maintenance and bug fixes.
UPGRADEABILITY
Proxy Pattern Comparison: Transparent vs UUPS
A technical comparison of the two dominant patterns for implementing upgradeable smart contracts on the EVM.
| Feature | Transparent Proxy | Universal Upgradeable Proxy Standard (UUPS) |
|---|---|---|
Proxy-to-Implementation Call Routing | Proxy contract uses | Logic contract contains upgrade function and uses |
Upgrade Function Location | In the Proxy contract. | In the Implementation (Logic) contract. |
Gas Cost for User Calls | ~2.4k gas overhead for non-admin calls. | ~100 gas overhead (minimal proxy cost). |
Implementation Contract Size | Can be larger, as upgrade logic is not required. | Must be smaller to avoid the 24KB contract size limit, as it includes upgrade logic. |
Upgrade Authorization | Managed by an admin address stored in the Proxy. | Managed by an authorization mechanism (e.g., |
Risk of Implementation Function Collision | High. Admin must avoid function selector clashes with proxy. | None. No function selector clashes between proxy and logic. |
Standardization (EIP) | Not formally standardized, but a widely used pattern. | EIP-1822 (legacy) / EIP-1967 (current standard for storage slots). |
Typical Use Case | Simplicity, where gas savings on user calls are less critical. | Gas optimization for users and explicit upgrade management in logic. |
ecosystem-usage
UPGRADEABLE PROXY
Ecosystem Usage
The upgradeable proxy pattern is a foundational smart contract architecture enabling protocol evolution. It separates logic from storage, allowing developers to deploy bug fixes, security patches, and new features without migrating user state or assets.
01
Core Architecture
An upgradeable proxy uses three key components:
- Proxy Contract: Holds the storage (user balances, state) and delegates all function calls.
- Logic/Implementation Contract: Contains the executable code and business logic.
- Proxy Admin: Manages the upgrade authorization, controlling which logic contract the proxy points to. This separation, often following the EIP-1967 standard, is the bedrock of major DeFi protocols like Aave and Compound.
02
Security & Governance
Upgradeability introduces centralization risks, mitigated through timelocks and decentralized governance. A timelock contract enforces a mandatory delay between a governance vote approving an upgrade and its execution, allowing users to review code or exit. Major DAOs like Uniswap and MakerDAO use this model, where token holders vote on upgrades via proposals, transferring upgrade control from developers to the community.
03
Implementation Patterns
Different patterns balance flexibility, gas costs, and complexity:
- Transparent Proxy (EIP-1967): Prevents selector clashes between admin and user functions. Used by OpenZeppelin's popular library.
- UUPS (EIP-1822): Upgrade logic is built into the implementation contract itself, making proxies cheaper to deploy. Gaining adoption for its gas efficiency.
- Beacon Proxy: A single beacon contract stores the implementation address for many proxy instances, enabling mass upgrades (e.g., for an NFT collection).
05
Storage Management
A critical constraint is storage layout preservation. When upgrading a logic contract, new variables must be appended; reordering or deleting existing variables corrupts the proxy's stored data. Developers use:
- Inherited Storage: Adding new variables via inheritance chains.
- Storage Gaps: Reserving unused slots in base contracts for future expansion.
- Eternal Storage: Using generic
bytes32slots accessed via getters/setters for maximum flexibility.
06
Risks & Considerations
While powerful, the pattern carries inherent risks:
- Admin Key Compromise: If a single private key controls the proxy, it becomes a central point of failure.
- Upgrade Malice: A malicious upgrade could steal funds or change protocol rules.
- Implementation Bugs: The new logic contract itself may contain vulnerabilities.
- Storage Collisions: Incorrect upgrades can permanently corrupt user data. These risks necessitate rigorous auditing, transparent governance, and widespread use of timelocks.
security-considerations
UPGRADEABLE PROXY
Security Considerations & Risks
While upgradeable proxies enable smart contract evolution, they introduce unique security vectors. This section details the critical risks developers and auditors must address.
01
Storage Collision & Initialization
A critical risk where the storage layout of the proxy contract and the implementation contract become misaligned, leading to data corruption. This can occur during upgrades if new variables are added in the wrong order.
- Uninitialized Proxies: If the implementation contract's
initializefunction is not called or is callable by anyone, it can leave the contract in a vulnerable state. - Constructor Caveat: Constructors in the implementation are not executed on the proxy. Using an
initializerfunction protected by aninitializermodifier is the standard pattern to prevent re-initialization attacks.
02
Function Selector Clashes
A risk where a function signature in the implementation contract unintentionally matches a function in the proxy itself, causing the proxy to execute its own logic instead of delegating the call.
- Proxy Admin Functions: Common proxy functions like
upgradeTo(address)oradmin()in the proxy contract must have unique selectors that do not collide with the implementation's public interface. - Transparent Proxy Pattern: This pattern mitigates the risk by routing all calls through the proxy, which checks the caller's address. If the caller is the admin, it executes proxy admin functions; otherwise, it delegates to the implementation.
03
Governance & Centralization
The upgrade mechanism typically relies on a privileged address or multi-signature wallet, creating a central point of failure and control.
- Admin Key Compromise: If the private key controlling the proxy admin is lost or stolen, an attacker can upgrade the contract to a malicious implementation.
- Rug Pull Risk: Malicious developers can use the upgrade function to replace the logic with code that drains user funds.
- Mitigation: Use time-locked, multi-signature governance controlled by a decentralized autonomous organization (DAO) to authorize upgrades, providing transparency and community oversight.
04
Implementation Integrity
The security of the proxy is only as strong as the implementation contract it points to. Auditing and verification are continuous requirements.
- Verification Lag: Newly deployed implementation contracts must be fully verified and audited before the upgrade is executed. An unverified contract is a major red flag.
- Backdoors & Logic Bugs: The upgradeable implementation itself may contain vulnerabilities. A robust audit must cover both the initial logic and any new code introduced in upgrades.
- Immutable Reference: Consider using an immutable proxy pattern for contracts where the logic is definitively finalized, eliminating upgrade-related risks entirely.
UPGRADEABLE PROXIES
Common Misconceptions
Upgradeable proxy patterns are a foundational tool for smart contract development, but their mechanics and security implications are often misunderstood. This section clarifies the most frequent points of confusion.
An upgradeable proxy is a smart contract design pattern that separates a contract's storage and logic, allowing the logic to be updated while preserving the contract's address, state, and user interactions. It works through a delegatecall mechanism where a Proxy contract holds all storage and forwards function calls via delegatecall to a separate Implementation (or Logic) contract, which contains the executable code. The proxy's storage layout is immutable, but a new implementation address can be pointed to, effectively "upgrading" the contract's behavior. Common standards include EIP-1967, Transparent Proxy, and UUPS (EIP-1822).
UPGRADEABLE PROXY
Technical Deep Dive
An upgradeable proxy is a foundational smart contract pattern that separates a contract's logic from its storage, enabling the logic to be updated while preserving the contract's address, state, and user interactions.
An upgradeable proxy is a smart contract design pattern that separates a contract's storage (state) from its logic (implementation), allowing the logic to be replaced while preserving the contract's address and data. It works through delegatecall, where a lightweight proxy contract forwards all function calls to a separate logic contract, executing the logic in the proxy's storage context. This enables developers to fix bugs or add features by deploying a new logic contract and updating the proxy's reference, a process governed by an admin or proxy admin contract.
Key components are:
- Proxy Contract: Holds the storage and a pointer to the logic address.
- Logic/Implementation Contract: Contains the executable code.
- ProxyAdmin: A contract that manages upgrade authorization.
UPGRADEABLE PROXY
Frequently Asked Questions (FAQ)
Essential questions and answers about upgradeable proxy patterns, a critical smart contract architecture for managing on-chain logic updates.
An upgradeable proxy is a smart contract design pattern that separates a contract's storage and logic, allowing the deployed logic to be updated while preserving the contract's state and address. It works by using a Proxy Contract that delegates all function calls via delegatecall to a separate Implementation Contract (or Logic Contract) which contains the executable code. The proxy holds the storage (data), while a separate Proxy Admin contract typically holds the authority to upgrade the address of the implementation contract it points to. This allows developers to fix bugs or add features without requiring users to migrate to a new contract address.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall