The Universal Upgradeable Proxy Standard (UUPS) is an Ethereum smart contract upgrade pattern defined in EIP-1822 where the logic for performing upgrades is embedded within the implementation contract (logic contract) rather than a separate proxy admin contract. In this architecture, a proxy contract delegates all function calls to an implementation contract using the delegatecall opcode, but crucially, the proxy holds a function (like upgradeTo(address)) that points to the implementation. This design separates a contract's storage (held in the proxy) from its executable code (in the implementation), allowing the code to be replaced while preserving the contract's state, address, and balance.
LABS
Glossary
UUPS (Universal Upgradeable Proxy Standard)
The Universal Upgradeable Proxy Standard (UUPS) is a smart contract upgrade pattern where the logic for upgrading the contract is embedded within the implementation contract itself, rather than in a separate proxy admin contract.
Chainscore © 2026
definition
SMART CONTRACT ARCHITECTURE
What is UUPS (Universal Upgradeable Proxy Standard)?
A design pattern for making Ethereum smart contracts upgradeable, where upgrade logic is stored in the implementation contract itself.
The key technical distinction from the Transparent Proxy Pattern is the location of upgrade authorization logic. In UUPS, the upgradeTo function resides in the implementation contract itself, which the proxy executes via delegation. This makes the proxy contract simpler and slightly less expensive to deploy, as it contains minimal code. However, it places a critical responsibility on the implementation: developers must ensure the upgrade function is present and properly secured in every subsequent version, as removing it would permanently lock the contract. This pattern is often implemented using OpenZeppelin's UUPSUpgradeable library, which provides the secure, audited scaffolding for the upgrade mechanism.
A primary advantage of UUPS is reduced gas cost for proxy deployment and certain function calls compared to transparent proxies, as it avoids storage slot clashes for the admin address. Its main risk is upgradeability lockup: if a new implementation is deployed without the upgradeTo function, the proxy loses its ability to upgrade forever. This pattern is commonly used in gas-optimized DeFi protocols and NFT collections where future upgrades are anticipated but deployment efficiency is a priority. It requires rigorous testing to ensure the upgrade function is inherited and overridden correctly in all new versions.
how-it-works
UPGRADE MECHANISM
How UUPS Works
The Universal Upgradeable Proxy Standard (UUPS) is a smart contract design pattern that separates a contract's logic from its storage, enabling the logic to be upgraded while preserving the contract's state and address.
The UUPS (EIP-1822) pattern employs a proxy contract that delegates all function calls to a separate logic contract using the delegatecall opcode. This means the proxy executes the logic contract's code within its own storage context. The proxy stores a single, mutable address—the implementation—which points to the current version of the logic. When an upgrade is required, a new logic contract is deployed, and the proxy's implementation address is updated via a dedicated upgradeTo(address) function, which is itself part of the upgradeable logic.
A critical security feature of UUPS is that the upgrade logic resides within the logic contract itself, not the proxy. This design reduces the proxy's attack surface and gas cost. However, it places the responsibility on developers to ensure each new logic implementation includes the necessary upgrade functions and does not inadvertently corrupt storage layouts. The upgrade authorization mechanism, often managed via access control like OpenZeppelin's Ownable or AccessControl, is also implemented in the logic contract, governing who can call upgradeTo.
Compared to the Transparent Proxy pattern, UUPS proxies are more gas-efficient for users because they avoid the overhead of an admin fallback function check on every call. The trade-off is increased complexity for developers, who must carefully manage the upgradeable inheritance chain. A common implementation is to use OpenZeppelin's UUPSUpgradeable base contract, which provides the internal _authorizeUpgrade function that must be overridden with custom access control logic.
The upgrade process follows a strict sequence: 1) Deploy the new logic contract (Implementation V2), 2) Execute the upgradeTo function on the proxy, passing the new address, and 3) Optionally, call an initialization function in the new logic to migrate any required state. It is crucial that storage variables are append-only; variables cannot be removed or reordered between upgrades, as this would cause catastrophic storage collisions.
UUPS is the recommended standard for new upgradeable projects due to its gas efficiency and streamlined proxy contract. It is foundational for building upgradeable decentralized applications (dApps) and protocols that require the flexibility to fix bugs or add features post-deployment while maintaining a permanent contract address for users and integrations.
key-features
ARCHITECTURE
Key Features of UUPS
The Universal Upgradeable Proxy Standard (UUPS) is an Ethereum standard (EIP-1822) for upgradeable smart contracts that moves upgrade logic into the implementation contract itself.
01
Proxy-Implementation Pattern
The core architecture uses a proxy contract that delegates all calls to a separate logic (implementation) contract using delegatecall. User funds and state are stored in the proxy's storage, while the executable code resides in the implementation. This allows the logic to be upgraded by pointing the proxy to a new implementation address, without migrating state.
02
Upgrade Logic in Implementation
Unlike the Transparent Proxy pattern, UUPS places the upgradeTo(address) function within the implementation contract itself. This makes the proxy contract smaller and cheaper to deploy, but requires each new implementation to contain the upgrade mechanism. The upgrade authorization is managed by the implementation's internal access control (e.g., an onlyOwner modifier).
03
Gas Efficiency
UUPS proxies are more gas-efficient for users than Transparent Proxiders. There is no need for a proxy admin contract or complex routing logic to distinguish between admin and user calls. Every call is a direct delegatecall to the implementation, resulting in lower gas overhead for end-users interacting with the contract.
04
Initialization & Constructor Caveat
Because constructors in the implementation are not run on the proxy's context, UUPS contracts use an initializer function. This function, often protected (e.g., initializer modifier from OpenZeppelin), sets up the contract's initial state. A critical security requirement is that the initializer can only be called once to prevent re-initialization attacks.
05
Self-Destruct Risk
A significant architectural consideration is that the upgrade logic resides in the implementation. If an implementation with upgrade capabilities contains a selfdestruct function or a buggy upgrade function, it could brick the proxy or make it unusable. Later implementations can choose to remove the upgrade function entirely to finalize the contract.
06
EIP-1967 Storage Slots
UUPS implementations typically use EIP-1967 standard storage slots to store the implementation address in the proxy. This uses a specific, pseudo-random slot (0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc) to prevent storage collisions between the proxy and implementation, ensuring a reliable and predictable way to read the current logic address.
UPGRADE MECHANISM COMPARISON
UUPS vs. Transparent Proxy Pattern
A technical comparison of the two primary proxy patterns for upgradeable smart contracts on Ethereum.
| Feature | Universal Upgradeable Proxy Standard (UUPS) | Transparent Proxy Pattern |
|---|---|---|
Upgrade Logic Location | Implementation Contract | Proxy Contract |
Proxy Contract Size | Smaller (minimal runtime) | Larger (contains upgrade logic) |
Gas Cost for Deployment | Lower | Higher |
Gas Cost for User Calls | Identical | Identical |
Upgrade Function Selector Clash Risk | Present (must be managed) | Eliminated via |
Implementation Contract Can Self-Destruct | Yes (critical risk) | No (proxy logic is separate) |
Standardization / Auditability | EIP-1822 / EIP-1967 | Widely adopted, informal standard |
Recommended Use Case | Gas-optimized, expert teams | General purpose, higher safety |
security-considerations
UPPS
Security Considerations & Risks
The Universal Upgradeable Proxy Standard (UUPS) introduces specific security patterns and attack vectors that developers and auditors must understand. This section details critical risks and best practices for secure implementation.
01
Implementation Storage Collision
A UUPS proxy stores the implementation address in a specific storage slot defined by ERC1967Utils.IMPLEMENTATION_SLOT. A critical risk occurs if the implementation contract's own variables use the same storage slot, causing a storage collision. This can corrupt state and lead to a complete contract lockup.
- Mitigation: The implementation contract should use unstructured storage patterns or inherit from libraries like OpenZeppelin's
UUPSUpgradeable, which places its own variables in pseudo-random slots.
02
Uninitialized Implementation Attack
The _authorizeUpgrade function is a virtual function that must be overridden. If a developer deploys an implementation contract without overriding this function, the contract will be uninitialized and permanently open to upgrades by anyone.
- Consequence: Any attacker can point the proxy to a malicious contract, draining all funds.
- Mitigation: Always implement
_authorizeUpgradewith appropriate access control (e.g.,onlyOwner) and test that the function reverts correctly in the base implementation.
03
Function Selector Clashing
The proxy's fallback function delegates all calls to the implementation. If the implementation contains a function with the same 4-byte selector as upgradeTo(address) or upgradeToAndCall(address,bytes), it creates a dangerous clash.
- Risk: A user intending to call a regular function could inadvertently trigger a proxy upgrade.
- Mitigation: The
UUPSUpgradeablestandard includes a built-in check inupgradeTothat reverts if the new implementation is not UUPS-compliant, but developers must still audit function selectors.
05
Testing & Verification Rigor
Upgradeable contracts require more extensive testing than immutable ones. The test suite must cover:
- State Preservation: Verify that all storage variables persist correctly across upgrades.
- Upgrade Paths: Test upgrades from all previous versions to the new one.
- Authorization: Ensure the
_authorizeUpgradefunction works and reverts for unauthorized addresses. - Tooling: Use frameworks like OpenZeppelin Upgrades Plugins for Hardhat or Foundry, which include safety checks for storage layout incompatibilities.
06
Proxy Admin vs. UUPS
A key architectural choice is between the Transparent Proxy Pattern (with a ProxyAdmin) and UUPS. Understanding the security trade-offs is essential.
- Transparent Proxy: The upgrade logic is in a separate
ProxyAdmincontract. This separates concerns but adds gas overhead and another contract to secure. - UUPS: The upgrade logic is embedded in the implementation. This reduces gas costs for users but means each implementation must carry the upgradeability code and its risks. If a UUPS implementation self-destructs, upgradeability is lost forever.
code-example
UPGRADEABILITY PATTERN
Code Example Overview
This section provides a technical overview of the Universal Upgradeable Proxy Standard (UUPS), a smart contract pattern that separates logic from storage to enable seamless upgrades.
The Universal Upgradeable Proxy Standard (UUPS) is an Ethereum smart contract upgrade pattern where upgrade logic is embedded directly within the implementation contract itself, rather than in a separate proxy admin contract. This design, formalized in EIP-1822, uses a delegatecall from a minimal proxy to forward all transactions to a logic contract, allowing the proxy's behavior to be changed by updating the address of this implementation. The key distinction from the Transparent Proxy pattern is the location of the upgrade authorization mechanism.
A UUPS proxy's core function is to maintain a persistent storage slot (e.g., at keccak256('eip1967.proxy.implementation') - 1) holding the address of the current logic contract. When a user interacts with the proxy, it executes a delegatecall to the code at this stored address, using the proxy's own storage context. Crucially, the function to update this implementation address—upgradeTo(address newImplementation)—must be included and properly secured within the logic contract's code, typically protected by an access control modifier like onlyOwner.
The primary advantage of the UUPS pattern is gas efficiency. By eliminating the separate ProxyAdmin contract, deployment and transaction costs are lower. However, this introduces a critical responsibility: developers must ensure every new implementation contract retains a valid upgradeTo function. Forgetting to include this function in an update would permanently lock the proxy, making it impossible to upgrade further. This is a key trade-off compared to the more administrative, but safer, Transparent Proxy pattern.
Implementing UUPS requires careful attention to initialization. Since constructors are not copied during a delegatecall, an initialize function must be used to set up the proxy's initial state, and it must be protected against re-initialization. Modern libraries like OpenZeppelin Contracts provide standardized, audited base contracts (e.g., UUPSUpgradeable) that handle the upgrade mechanism and incorporate security checks, such as preventing upgrades to non-upgradeable implementations.
Use cases for UUPS are prevalent in production DeFi protocols and DAO treasuries where contract logic must evolve without migrating user assets or state. It is the recommended pattern for gas-sensitive applications where the upgrade function is called infrequently. Developers must rigorously test upgrade paths, including storage layout compatibility, to prevent introducing vulnerabilities during the migration to a new implementation contract.
ecosystem-usage
UPGRADE PATTERNS
Ecosystem Usage & Examples
The UUPS standard is a foundational upgrade pattern used by major protocols to manage contract evolution. Its implementation dictates key aspects of security, governance, and upgrade mechanics.
01
The Upgrade Mechanism
In UUPS, the upgrade logic is embedded in the implementation contract itself, not the proxy. The proxy delegates all calls to the implementation, which contains a function (e.g., upgradeTo) to point the proxy to a new address. This makes the proxy contract smaller and more gas-efficient during deployment. The key security check is that only authorized accounts (often a governance multisig or DAO) can call the upgrade function.
02
Security & Initialization
A critical UUPS pattern is the use of an initializer function instead of a constructor. Because the proxy delegates calls, constructors in the implementation are ineffective. Developers must expose an initialize function to set initial state, which must be protected from re-initialization, typically using an initializer modifier from OpenZeppelin libraries. Failure to secure this is a common vulnerability.
03
Transparent vs. UUPS Proxies
UUPS is often compared to the Transparent Proxy Pattern. The key difference is location of upgrade logic:
- Transparent: Logic is in the Proxy Admin contract.
- UUPS: Logic is in the Implementation contract. This makes UUPS proxies more gas-efficient for users, as they avoid storage slot clashes, but places the burden of maintaining upgradeability on the implementation, which can be self-destructed if not designed correctly.
04
Adoption by Major Protocols
Many leading DeFi and infrastructure projects use UUPS for its gas savings and flexibility.
- Uniswap v4: Uses UUPS proxies for its hook contracts, allowing hooks to be upgraded post-deployment.
- Aave: Employs UUPS for its pool configurations and governance-executed upgrades.
- OpenZeppelin Contracts: Provides the standard, audited
UUPSUpgradeablebase contract, which is the reference implementation for the ecosystem.
05
The Self-Destruct Risk
A unique risk in UUPS is that the upgrade authorization logic resides in the implementation. If an upgrade function contains a vulnerability or if an admin key is compromised, a malicious new implementation could include a selfdestruct call, which would destroy the implementation and brick all proxies pointing to it, permanently freezing user funds. This is not possible in the Transparent Proxy pattern.
06
Governance Integration
UUPS upgrades are typically governed by decentralized mechanisms. The upgradeTo function is guarded by an access control rule, often pointing to a Timelock Controller or a DAO's governance contract. This creates a delay between a proposal's approval and execution, allowing users to exit if they disagree with an upgrade. The sequence is: Governance vote → Timelock queue → Upgrade execution.
DEBUNKING MYTHS
Common Misconceptions About UUPS
The Universal Upgradeable Proxy Standard (UUPS) is a powerful pattern for smart contract upgradeability, but its mechanics are often misunderstood. This section clarifies the most frequent points of confusion developers encounter.
A UUPS proxy is not inherently less secure; its security model is simply different and shifts more responsibility to the implementation contract. In the Transparent Proxy Pattern, upgrade logic is in the proxy itself, while in UUPS, the upgrade logic (upgradeTo) is part of the implementation contract that can be self-destructed. The primary risk in UUPS is that if an upgrade function has a vulnerability or is removed in a new implementation, the proxy can become permanently frozen. However, UUPS proxies are generally more gas-efficient for users because they avoid the storage slot checks required by transparent proxies. Security depends entirely on the correctness of the implementation's upgrade mechanism.
UPGRADEABLE CONTRACTS
Technical Deep Dive
The Universal Upgradeable Proxy Standard (UUPS) is a sophisticated Ethereum smart contract pattern that separates a contract's logic from its storage, enabling seamless upgrades without data migration. This section dissects its core mechanisms, security considerations, and implementation details.
The Universal Upgradeable Proxy Standard (UUPS) is a smart contract design pattern that enables a contract's logic to be upgraded while preserving its storage and address. It works by using a proxy contract that delegates all function calls to a separate logic contract via the delegatecall opcode, allowing the proxy's storage to be manipulated by the logic contract's code. The proxy stores a single address pointing to the current logic implementation, which can be updated by an authorized account, making the system upgradeable. Unlike the Transparent Proxy pattern, the upgrade logic is embedded within the logic contract itself, not the proxy.
UUPS
Frequently Asked Questions (FAQ)
Common questions about the Universal Upgradeable Proxy Standard, a pattern for creating upgradeable smart contracts on Ethereum and other EVM-compatible blockchains.
The Universal Upgradeable Proxy Standard (UUPS) is a design pattern for smart contracts that separates a contract's logic from its storage, enabling the logic to be upgraded while preserving the contract's address and state. It works by using a proxy contract that delegates all function calls to a separate logic contract via the delegatecall opcode. The proxy stores the address of the current logic contract, and an authorized account can call an upgradeTo(address newImplementation) function to point the proxy to a new, upgraded logic contract. Unlike the Transparent Proxy pattern, the upgrade logic is embedded within the logic contract itself, not the proxy.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall