The Universal Upgradeable Proxy Standard (UUPS) is a smart contract design pattern, formalized in EIP-1822, that enables the logic of a decentralized application to be upgraded while preserving its state and contract address. Unlike the older Transparent Proxy pattern, the upgrade logic in UUPS is embedded directly within the implementation contract, not the proxy. This design makes the proxy contract simpler and less expensive to deploy, as it contains only minimal code for forwarding function calls via delegatecall to the current logic implementation.
LABS
Glossary
UUPS (Universal Upgradeable Proxy Standard)
An upgradeable proxy standard where the logic for upgrades is embedded within the implementation contract itself, rather than in a separate proxy admin contract.
Chainscore © 2026
definition
BLOCKCHAIN DEVELOPMENT
What is UUPS (Universal Upgradeable Proxy Standard)?
A smart contract upgrade pattern that separates logic from storage and centralizes upgrade authorization in the logic contract itself.
The core mechanism relies on a proxy contract that stores the address of the current logic contract and a function selector clash for the upgrade function. The proxy uses a delegatecall to execute all logic in the context of its own storage. The key upgrade function, often named upgradeTo(address newImplementation), is included in the logic contract itself. This means the authority to upgrade—typically guarded by an onlyOwner modifier—resides in the implementation, and the proxy must call this function on itself to point to a new logic address.
A major advantage of UUPS over the Transparent Proxy pattern is reduced gas cost for regular users. Since the proxy admin functionality is part of the logic, there is no need for the proxy to check on every call whether the sender is the admin, avoiding an extra conditional check. However, this introduces a critical responsibility: developers must ensure the upgrade function is preserved and properly secured across all future implementation versions. If an upgraded logic contract omits this function, the proxy becomes permanently frozen and un-upgradeable.
This pattern is widely used in major protocols due to its efficiency. For example, OpenZeppelin's contracts library provides audited UUPS upgradeable contracts. When deploying, you typically deploy three items: the simple proxy, an initial logic contract (Implementation v1), and a ProxyAdmin contract (optional, often just a regular address) that holds upgrade rights. All user interactions and state changes occur through the proxy's address, while developers can deploy a new logic contract (Implementation v2) and execute the upgradeTo function to migrate seamlessly.
Key considerations when using UUPS include rigorous testing of upgrade paths to prevent storage collisions and ensuring the upgrade function's access control is never accidentally removed. It is also crucial to understand that the proxy's storage layout is immutable; new implementations must adhere to inheritance chains and storage gaps to maintain compatibility. This makes UUPS a powerful but expert-level tool for achieving contract upgradeability on networks like Ethereum.
how-it-works
TECHNICAL DEEP DIVE
How UUPS Works: The Delegatecall Mechanism
The Universal Upgradeable Proxy Standard (UUPS) enables smart contract upgrades through a core Ethereum mechanism called delegatecall, separating logic from storage.
The Universal Upgradeable Proxy Standard (UUPS) is an upgrade pattern where a proxy contract delegates all function calls to a separate logic contract using the low-level delegatecall opcode. This mechanism allows the proxy's storage and address to remain permanent while its executable code (the logic) can be replaced. When a user interacts with the proxy, delegatecall executes the logic contract's code within the context of the proxy's storage, meaning state variables are read from and written to the proxy, not the logic contract. This separation of storage and logic is the foundational principle of upgradeability.
The upgrade process is managed by a function within the logic contract itself, typically named upgradeTo(address newImplementation). This is a critical distinction from other patterns like the Transparent Proxy, where upgrade logic resides in a separate admin contract. In UUPS, the logic contract must contain and expose the upgrade authorization and execution logic. Consequently, each new logic contract version must include this upgrade functionality, making the upgrade mechanism self-contained within the implementation. This design reduces gas costs for regular users, as they are not required to interact with an additional admin contract for standard transactions.
A delegatecall preserves the msg.sender and msg.value from the original call, ensuring that access control and payment logic work correctly from the user's perspective. However, it also introduces critical security considerations: the storage layout between the old and new logic contracts must be strictly compatible. Incompatible layouts can lead to catastrophic storage collisions, where variables point to incorrect data slots. Furthermore, because the upgrade function resides in the logic, extreme care must be taken to prevent its removal or compromise in future versions, which could permanently lock the contract.
Developers implement UUPS by writing logic contracts that inherit from a base contract like OpenZeppelin's UUPSUpgradeable, which provides the internal _upgradeToAndCall function and a virtual _authorizeUpgrade function that must be overridden with access control logic (e.g., onlyOwner). The proxy is deployed pointing to an initial logic contract address. To upgrade, an authorized account calls upgradeTo on the proxy, which delegates to the current logic's upgrade function, updating the proxy's stored implementation address to point to the new contract.
The primary advantage of UUPS over the Transparent Proxy pattern is reduced gas overhead for end-users, as every call avoids the overhead of a proxy admin check. Its main trade-off is increased responsibility for the development team to ensure upgrade functionality is preserved and correctly authorized in every subsequent implementation. This pattern is formally defined in EIP-1822 and is widely used in modern upgradeable contract systems where gas efficiency for users is a priority.
key-features
ARCHITECTURE
Key Features of UUPS
The Universal Upgradeable Proxy Standard (UUPS) is an Ethereum standard (EIP-1822) for separating a smart contract's logic from its storage, enabling seamless upgrades. This section details its core architectural components and operational mechanisms.
01
Logic/Storage Separation
The core architectural pattern where a proxy contract holds all state (storage) and delegates function calls to a separate logic contract via delegatecall. This separation is fundamental, as it allows the logic to be replaced while preserving the contract's persistent data and address.
- Proxy: Permanent address, holds storage variables.
- Logic Contract: Contains executable code, can be upgraded.
- Delegatecall: Executes logic contract's code in the context of the proxy's storage.
02
Upgrade Authorization
Upgrade functionality is managed within the logic contract itself, not the proxy. The logic contract must contain an upgradeTo(address newImplementation) function, protected by access control (e.g., onlyOwner). This design simplifies proxy code and reduces its attack surface, but places the critical responsibility of maintaining upgradeability on the logic implementation.
03
Initialization vs Constructor
Because proxies use delegatecall, a logic contract's constructor code is not executed during a proxy's deployment. Instead, an initializer function must be used to set up the proxy's initial state. This function must be protected to prevent re-initialization attacks, a pattern often enforced using libraries like OpenZeppelin's Initializable.
04
Transparent vs UUPS Proxies
A key distinction from the Transparent Proxy Pattern. In Transparent proxies, upgrade logic is in the proxy admin. In UUPS, upgrade logic is in the implementation contract. This makes UUPS proxies more gas-efficient for end-users, as they avoid a proxy-admin check on every call, but requires the implementation to forever carry upgradeability code.
05
Implementation Storage Slot
The proxy contract stores the address of the current logic contract in a specific, standardized storage slot defined by EIP-1967. This slot is bytes32(uint256(keccak256('eip1967.proxy.implementation')) - 1). Using a pseudorandom slot prevents storage collisions between the proxy and implementation, ensuring upgrade safety.
06
Gas Optimization & Risks
Gas Efficiency: UUPS saves ~5k gas per call vs. Transparent Proxies by removing the admin address check.
Permanent Risk: If an upgraded logic contract fails to include the upgradeTo function, the proxy becomes permanently frozen and un-upgradeable. This self-destruct mechanism is a deliberate, security-critical design choice.
code-example
IMPLEMENTATION
UUPS Code Example: Core Interface and Function
An examination of the essential Solidity code that defines the UUPS upgrade mechanism, focusing on the interface and the critical `upgradeTo` function.
The core of the Universal Upgradeable Proxy Standard (UUPS) is defined by the IERC1822Proxiable interface, which mandates a single, crucial function: function proxiableUUID() external view returns (bytes32);. This function returns a unique identifier for the implementation contract's logic contract version, allowing the proxy to verify compatibility before an upgrade. The upgrade logic itself resides in a separate, optional interface, often named IERC1967Upgrade or a custom UUPSUpgradeable interface, which contains the upgradeTo(address newImplementation) function.
The upgradeTo function is the state-changing operation that performs the actual upgrade. When called (typically by a privileged admin), it must update the proxy's stored implementation address in the designated ERC-1967 storage slot. A secure implementation will include authorization checks, compatibility verification via proxiableUUID, and an event emission. Critically, in the UUPS pattern, this upgrade logic is embedded within the implementation contract itself, not the proxy, which is why the implementation must remain upgradeable to modify its own logic in the future.
A minimal, secure UUPS implementation contract skeleton includes the following key components: inheriting from a base contract like UUPSUpgradeable, overriding the _authorizeUpgrade function to add access control (e.g., onlyOwner), and implementing proxiableUUID. This structure ensures upgrades are permissioned and that the proxy can validate the new implementation contract is a valid UUPS-compliant contract before switching to it, preventing accidental or malicious upgrades to incompatible code.
comparison-with-transparent-proxy
UPGRADEABLE CONTRACTS
UUPS vs. Transparent Proxy Pattern
A comparison of two dominant proxy patterns for smart contract upgradeability, focusing on their architectural differences, security considerations, and gas efficiency.
01
Core Architecture
The Transparent Proxy Pattern uses a central ProxyAdmin contract to manage upgrades, separating admin calls from regular user calls to prevent selector clashes. In contrast, UUPS (Universal Upgradeable Proxy Standard) embeds the upgrade logic directly within the implementation contract itself, which must inherit and implement the upgrade function.
02
Gas Efficiency & Deployment
UUPS proxies are more gas-efficient for end-users because they avoid the extra delegatecall check for admin functions present in Transparent Proxies. However, UUPS requires the implementation contract to be deployed first, and each new version must include the upgrade logic, adding slight deployment overhead.
03
Security & Upgrade Mechanism
In the Transparent Pattern, the proxy's upgrade function is external and managed by the ProxyAdmin. UUPS moves this risk: the upgradeTo function is part of the implementation. This makes UUPS implementations permanently immutable if they fail to include or properly secure this function in a new version.
04
Function Selector Clashing
Transparent Proxides solve the selector clashing problem by routing calls: if the caller is the admin, it delegates to the proxy's own functions; otherwise, it delegates to the implementation. UUPS avoids this by having no admin-specific functions on the proxy; all calls are delegated, relying on the implementation's access control.
05
Storage Layout & Initialization
Both patterns use delegatecall and thus share the same critical constraint: the storage layout between proxy and implementation, and across upgraded implementations, must remain compatible. Both use initializer functions instead of constructors. The ERC1967Proxy storage slot for the implementation address is standard for both.
06
Adoption & Use Cases
The Transparent Proxy Pattern is often seen as more beginner-friendly due to its clear separation of concerns. UUPS, popularized by OpenZeppelin, is favored for its gas savings and is used in major standards like ERC-4337 account abstraction. The choice depends on the trade-off between upgrade safety and runtime cost.
security-considerations
UUPS (UNIVERSAL UPGRADEABLE PROXY STANDARD)
Security Considerations and Risks
While UUPS enables powerful contract upgradeability, its design introduces specific security vectors that developers and auditors must rigorously address.
01
Implementation Initialization Vulnerability
A critical risk in UUPS is that the implementation contract's constructor is not used. Instead, an initialize function must be called. If this function lacks proper access control or can be re-initialized, it can lead to a complete takeover of the proxy's logic.
- The
initializermodifier from OpenZeppelin is essential to prevent re-initialization. - Failing to call
_disableInitializers()in the implementation constructor leaves a dangerous initialization backdoor.
02
Selfdestruct in Implementation
Because the proxy delegates all calls to the implementation's code, if a malicious upgrade introduces a selfdestruct opcode, the implementation contract can be destroyed, permanently bricking the proxy and all associated user funds.
- This is a key differentiator from the Transparent Proxy Pattern, where the proxy admin is separate.
- Rigorous auditing of upgrade logic is non-negotiable to prevent this catastrophic failure.
03
Storage Collision Risks
The proxy and implementation share the same storage layout. In UUPS, the upgrade function (upgradeToAndCall) is stored in the implementation, not the proxy.
- Incorrect storage variable ordering between implementation versions can cause critical data corruption.
- Developers must follow established patterns like inheriting from
UUPSUpgradeableand using tools likeslitherto detect layout inconsistencies.
04
Centralization & Admin Key Risk
The entity controlling the upgrade function holds ultimate power over the contract's logic. This creates a single point of failure.
- Compromise of the upgrade admin's private key allows an attacker to deploy malicious logic.
- Mitigations include using multi-signature wallets, timelocks for upgrades, or moving towards decentralized governance for upgrade approval.
05
Function Selector Clashing
The upgradeTo and upgradeToAndCall functions in the implementation must use unique function selectors that do not clash with the proxied contract's intended interface.
- A clash would make the intended function uncallable, as the proxy's fallback would delegate to the upgrade logic instead.
- The EIP-1822 standard defines specific, rarely-used selectors (
0x3659cfe6,0x4f1ef286) to minimize this risk.
06
Audit & Testing Imperatives
UUPS contracts require exhaustive testing beyond standard unit tests.
- Integration testing must simulate the full proxy-delegate call upgrade path.
- Fuzz testing (e.g., with Foundry) should target the initialization and upgrade functions.
- Formal verification and audits by specialized firms are strongly recommended before mainnet deployment.
ecosystem-usage
UPGRADEABLE SMART CONTRACTS
Ecosystem Usage and Adoption
The Universal Upgradeable Proxy Standard (UUPS) is a design pattern enabling smart contract logic to be updated after deployment, a critical feature for long-term project maintenance and security.
01
Core Upgrade Mechanism
UUPS implements upgradeability by separating contract storage (in the proxy) from logic (in a separate implementation contract). The proxy delegates all function calls to the implementation via the delegatecall opcode. Upgrades are performed by changing the implementation address the proxy points to, allowing for logic fixes and feature additions without migrating state or user funds.
02
Comparison to Transparent Proxy
UUPS differs from the older Transparent Proxy pattern in how it manages upgrade authorization.
- UUPS: The upgrade logic (
upgradeTo) is built into the implementation contract itself. - Transparent Proxy: The upgrade logic resides in the proxy, requiring a separate admin contract. This makes UUPS proxies more gas-efficient for end-users, as they avoid the proxy's admin check on every call, but places greater responsibility on developers to ensure upgrade functions are secure and not accidentally removed.
03
Security & Initialization Patterns
Because the implementation contract's constructor code is not run on the proxy's storage, UUPS relies on an initializer function. This function, often protected by an initializer modifier, sets up the contract's initial state. A critical security best practice is to use a library like OpenZeppelin's Initializable to prevent re-initialization attacks. The upgrade authorization mechanism must also be meticulously secured, as a compromised upgrade function can lead to a complete loss of control.
05
Gas Optimization Advantage
A key driver for UUPS adoption is its lower gas cost for end-users compared to Transparent Proxies. Since the proxy does not need to check msg.sender against an admin address on every call (the check is only in the upgradeTo function), regular transactions are cheaper. This efficiency is significant for frequently called functions and has led many high-throughput DeFi protocols to migrate to or launch with UUPS.
06
Risks and Developer Responsibility
Adopting UUPS introduces unique risks. The upgrade function resides in the implementation, which itself can be upgraded. If an upgrade removes this function (self-destructs the upgrade capability), the contract becomes permanently immutable. Developers must also ensure storage layout compatibility between versions to prevent storage collisions, which can corrupt data. These factors shift significant security burden from the proxy to the implementation contract's code quality and upgrade procedures.
DEBUNKED
Common Misconceptions About UUPS
The Universal Upgradeable Proxy Standard (UUPS) is a powerful pattern for smart contract upgradeability, but its mechanics are often misunderstood. This section clarifies the most frequent points of confusion developers encounter.
No, a UUPS proxy is not inherently less secure than a Transparent Proxy; the security model is simply different and places more responsibility on the implementation contract. In the Transparent Proxy pattern, upgrade logic resides in the proxy itself, while in UUPS, the upgrade logic is part of the implementation contract. This means a UUPS implementation must contain the upgradeTo function, and if this function is removed in a future upgrade, the contract becomes permanently non-upgradeable. The key security consideration is ensuring the upgrade authorization mechanism (e.g., onlyOwner) is correctly implemented and preserved across upgrades within the logic contract, rather than being managed by the proxy admin.
solidity// UUPS Implementation must include upgrade logic function upgradeTo(address newImplementation) external virtual onlyOwner { _authorizeUpgrade(newImplementation); _upgradeToAndCallUUPS(newImplementation, new bytes(0), false); }
UUPS
Frequently Asked Questions (FAQ)
Essential questions and answers about the Universal Upgradeable Proxy Standard, a critical pattern for smart contract upgradeability.
The Universal Upgradeable Proxy Standard (UUPS) is an Ethereum Improvement Proposal (EIP-1822) that defines a standard pattern for upgradeable smart contracts using a proxy contract that delegates all function calls to a separate logic contract. The proxy stores the address of the logic contract, and when a user interacts with the proxy, it uses a low-level delegatecall to execute the code from the logic contract in the proxy's own storage context. This separates the contract's storage and state from its executable code, allowing the logic to be upgraded by pointing the proxy to a new, deployed logic contract address, while preserving all existing user data and balances.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall