Most people assume that once a smart contract is deployed, its behavior is fixed. That's true for immutable contracts — but a large and growing portion of DeFi runs on upgradeable contracts. Understanding what a proxy upgrade actually does is essential for anyone holding or building on these protocols.
What Is an Upgradeable Proxy?
A proxy contract is a two-contract architecture:
User → Proxy Contract (permanent address)
↓ delegatecall
Implementation Contract (the logic)
The proxy holds the contract's storage (balances, state) and the permanent address users interact with. The implementation contains the actual code logic. The proxy routes all calls to the implementation via delegatecall.
The key insight: the implementation address stored in the proxy can be changed. When it changes, the logic changes — but the proxy address (and all its stored state) remains the same.
The Three Major Proxy Standards
EIP-1967 Transparent Proxy
The most common pattern. The implementation address is stored at a specific storage slot:
bytes32 constant IMPLEMENTATION_SLOT = 0x360894a13ba1...
The proxy owner (an admin address or a ProxyAdmin contract) can call upgradeTo(newImplementation) to replace the logic.
Key feature: The admin address is separated from regular users — admin calls go to the proxy's admin functions, user calls go to the implementation. This prevents a storage collision where the admin slot overlaps with the implementation's state variables.
UUPS (Universal Upgradeable Proxy Standard)
In UUPS (EIP-1822), the upgrade logic lives in the implementation, not the proxy. The upgrade function upgradeTo() is a regular function in the implementation contract.
Key difference: The implementation can brick itself. If a developer deploys a new implementation without the upgradeTo() function, the proxy is permanently frozen with no upgrade path. This puts more responsibility on correct implementation code.
Beacon Proxy
A beacon proxy pattern allows many proxy instances to share a single implementation via a "beacon" contract. Upgrading the beacon updates all proxies simultaneously.
Proxy A → Beacon → Implementation
Proxy B ↗
Proxy C ↗
Used when protocols deploy many instances of the same contract (e.g., Uniswap V3 pools, lending markets with many asset pairs).
What Actually Changes During an Upgrade?
When an upgrade happens:
What stays the same:
- Contract address
- All stored state (token balances, allowances, mappings)
- Outstanding transactions in the mempool
What changes:
- The code logic
- Available functions
- How existing state is interpreted
This is where the danger lies. The new implementation shares the same storage layout as the old one — but if the developer isn't careful, the new code can misinterpret the existing data.
Example: A Safe Upgrade
// V1
contract TokenV1 {
uint256 public totalSupply; // slot 0
mapping(address => uint256) balances; // slot 1
function transfer(address to, uint256 amount) external { ... }
}
// V2 — adds new feature, preserves layout
contract TokenV2 {
uint256 public totalSupply; // slot 0 — unchanged
mapping(address => uint256) balances; // slot 1 — unchanged
bool public paused; // slot 2 — new
function transfer(address to, uint256 amount) external { ... }
function pause() external onlyOwner { ... } // new function
}
This is safe — V2 appends new state to the end and doesn't move existing variables.
Example: A Storage Collision Attack
// V2 (malicious)
contract TokenV2Malicious {
address public owner; // slot 0 — was totalSupply!
mapping(address => bool) blacklist; // slot 1 — was balances!
// Now "totalSupply" stores the owner address
// "balances" is now a blacklist mapping
}
A malicious or poorly written upgrade can reinterpret existing balances as an address, rendering the entire token's state corrupted. In a targeted exploit, an attacker with upgrade control can:
- Rewrite the storage layout to redirect funds
- Add a backdoor mint function that didn't exist before
- Remove the
transferfunction entirely, trapping all balances
Who Can Trigger an Upgrade?
This is the critical question for any proxy token. The upgrade path is only as safe as whoever controls it.
| Controller | Risk Level | Notes |
|---|---|---|
| Single EOA (developer wallet) | Extreme | Can upgrade instantly, no review |
| Multisig (3/5, 4/7) | High-Medium | Requires coordination, harder to abuse |
| Timelock (48-72h delay) | Medium | Community has time to react |
| Timelock + Multisig | Low-Medium | Best practice for production protocols |
| DAO governance vote | Low | Upgrade requires broad consensus |
| No upgrade path | None | Immutable — but can't fix bugs either |
A token where a single developer can upgrade the contract at any time is as dangerous as a token with an unrestricted mint function — arguably more dangerous, since an upgrade can change everything simultaneously.
Mitigating Factors: Timelocks
A timelock contract introduces a mandatory delay between when an upgrade is proposed and when it can be executed.
Day 0: Owner calls timelock.queue(newImplementation, delay=48h)
Day 2: Owner calls timelock.execute(newImplementation)
← 48-hour window for community to detect and respond
During the waiting period, token holders can:
- See the proposed new implementation
- Audit the changes
- Exit their positions if they don't approve
- Governance token holders can cancel the upgrade
The OpenZeppelin TimelockController is the standard implementation. Meaningful delays are 48-72 hours minimum; major protocol upgrades often use 7-14 day timelocks.
How to Check if a Token is Upgradeable
Method 1: Etherscan
- Open the contract on Etherscan
- Look for
delegatecallin the bytecode or source code - Look for storage variables like
_IMPLEMENTATION_SLOTor anupgradeTofunction - Check the "Read as Proxy" tab — if Etherscan detects a proxy pattern, it shows the current implementation address
Method 2: Automated Scan
ChainRaven's scanner automatically detects proxy patterns (EIP-1967, UUPS, Beacon) and reports:
- Whether the contract is upgradeable
- Who controls the upgrade path (EOA vs. contract)
- Whether a timelock is in place
This appears as a weighted signal in the overall risk score.
Method 3: Manual ABI Review
Look for these function signatures in the ABI:
upgradeTo(address)— UUPS patternupgradeToAndCall(address, bytes)— UUPS with initialization_upgradeTo(address)— transparent proxy internalimplementation()— proxy admin view
Real-World Proxy Exploits
Nomad Bridge (2022)
A routine upgrade introduced a storage initialization bug that made messages forgeable. Any transaction that had been verified once could be replayed with any recipient address. Result: $190M drained within hours as bots copied the exploit transaction with different destination addresses.
Compound Finance (2021)
An upgrade to the Comptroller contract contained a bug that miscalculated COMP distributions. Instead of accumulating correctly, the contract sent excess COMP to some users. A subsequent fix upgrade also had a bug. No funds were stolen, but approximately $90M in COMP was distributed incorrectly and couldn't be fully recovered.
These weren't malicious upgrades — they were well-intentioned improvements with bugs. This is why timelocks matter: they give time to catch errors before they go live.
What to Look for Before Investing in a Proxy Token
Minimum acceptable:
- Upgrade controlled by a multisig (not a single EOA)
- Timelock with at least 48-hour delay
- Source code verified for both proxy and current implementation
Better:
- Timelock with 7-day delay
- Multisig requiring 4/7 or more signers
- Upgrade history: have previous upgrades been responsible?
- Audit of the current implementation
Best:
- Governance-controlled upgrades with on-chain voting
- Long timelock (14+ days)
- Independent security firm audits of each upgrade
Walk away if:
- Single EOA controls upgrades with no timelock
- Implementation isn't verified (can't see the code)
- Recent unexplained upgrade shortly before a price dump
Monitoring for Upgrades
Even if a token passes your initial review, proxy upgrades can happen later. Ongoing monitoring is the only way to stay protected.
ChainRaven's monitoring feature watches for proxy upgrade events and sends alerts when an implementation change is detected — via email, Telegram, or Discord — so you can review any upgrade before deciding whether to maintain your position.