Proxy Pattern

Smart Contract Updated Jun 2026

What is the Proxy Pattern?

The proxy pattern is a smart contract architecture that enables contract upgradeability — the ability to modify a deployed contract’s behavior without changing its address, state, or the balances and permissions stored within it. In a proxy setup, users always interact with a single “proxy” contract address, which delegates execution to an “implementation” contract that contains the actual logic. When the implementation needs to be updated, the proxy is pointed to a new implementation contract, while the proxy’s storage, address, and all user data remain unchanged.

This pattern is one of the most important architectural concepts in Solidity development because it solves a fundamental limitation of blockchain technology: smart contracts are immutable once deployed. Immutability is a feature for trust and security, but it’s a bug for development, because bugs discovered after deployment cannot be fixed in the traditional sense. The proxy pattern provides a controlled, transparent mechanism for upgrading contract logic while maintaining the immutability guarantees that make blockchain applications trustworthy.

How Proxy Contracts Work

The proxy pattern relies on two key mechanisms:

Delegatecall: The EVM opcode DELEGATECALL allows a contract to execute code from another contract in the context of the calling contract. This means that when the proxy delegatecalls to the implementation, the implementation’s code runs but uses the proxy’s storage, msg.sender, and msg.value. The implementation contract effectively “borrows” the proxy’s execution context.

Storage layout consistency: Because delegatecall uses the calling contract’s storage, the proxy and implementation must share the same storage layout. The implementation contract defines the storage variables, and the proxy’s storage is used to hold them. As long as the storage layout remains consistent between implementations, upgrading is seamless.

The architecture typically consists of:

  1. Proxy contract: A lightweight contract that users interact with. It stores the address of the current implementation and uses delegatecall to forward all function calls to the implementation.

  2. Implementation contract: Contains the actual business logic. It is not interacted with directly by users. Multiple versions of the implementation can be deployed and the proxy can be switched between them.

  3. Admin/ProxyAdmin: A privileged address (or contract) that has the authority to change the implementation address in the proxy. This is the “upgrade key” and represents the primary trust assumption.

Types of Proxy Patterns

Transparent Proxy

The transparent proxy pattern, popularized by OpenZeppelin, solves the function selector clash problem. When a proxy and its implementation both have a function with the same selector, delegatecall creates an ambiguity about which function to execute. The transparent proxy resolves this by checking whether the caller is the admin: if the admin calls the proxy, the proxy executes its own admin functions (like upgradeTo); if any other address calls, the proxy delegatecalls to the implementation.

This approach ensures that function selectors in the implementation never clash with proxy admin functions, but it adds a small gas cost for every call because of the admin check. Transparent proxies are best suited for contracts with a single proxy and relatively few users.

UUPS (Universal Upgradeable Proxy Standard)

UUPS reverses the upgrade logic: instead of the proxy containing the upgrade functionality, the upgrade function is defined in the implementation contract itself. The proxy simply forwards all calls (including upgrade calls) to the implementation.

The UUPS pattern is more gas-efficient than transparent proxies because there’s no admin check on every call. It also reduces deployment costs because the proxy contract is simpler. UUPS has become the recommended standard by OpenZeppelin and is widely adopted in production.

However, UUPS introduces a risk: if an implementation is deployed without the upgrade function (due to developer error), the contract becomes permanently non-upgradeable. This “bricking” risk must be carefully managed.

Beacon Proxy

The beacon proxy pattern uses a central “beacon” contract that stores the implementation address, and multiple proxy contracts can point to the same beacon. This is useful when you need many instances of the same contract (e.g., one per user or per pool) and want to upgrade all of them by changing a single beacon address.

The beacon pattern is commonly used in DeFi protocols like Aave and Uniswap that create many contract instances (lending pools, liquidity pools) that all share the same logic.

Diamond (EIP-2535)

The diamond pattern (also called multi-facet proxy) allows a single proxy to delegate to multiple implementation contracts, each handling different function selectors. This enables extremely large contracts to be modularized across multiple files and deployed as separate “facets” while appearing as a single contract to users.

Diamonds are complex and require careful management of the function selector registry, but they are powerful for large protocols that need extensive functionality in a single contract.

The Centralization Trade-off

The proxy pattern introduces a fundamental tension between upgradeability and decentralization. The ability to upgrade a contract requires that someone has the authority to trigger the upgrade, which means that contract behavior can be changed by a privileged party. This is a form of centralization, and it directly contradicts the “code is law” principle that is central to blockchain ideology.

This trade-off must be acknowledged and managed:

  • Transparency: All upgrades should be announced in advance and the new implementation code should be publicly auditable before activation.
  • Timelocks: Implementation changes should go through a timelock (e.g., 24-48 hours) to give users time to review and react to proposed changes.
  • Multi-sig governance: Upgrade authority should be held by a multi-signature wallet controlled by a DAO or trusted committee, not a single individual.
  • Immutable core: Once a protocol is sufficiently battle-tested, the upgrade authority can be renounced, making the contract truly immutable.

Storage Slot Collisions

One of the most dangerous aspects of the proxy pattern is storage slot collisions. Because the implementation contract’s storage layout must match the proxy’s, any change to the storage layout in a new implementation will cause variables to be read from and written to the wrong slots, corrupting the contract’s state.

For example, if the original implementation has variables a at slot 0 and b at slot 1, and an upgraded implementation adds a new variable c at slot 0 (pushing a and b to slots 1 and 2), the proxy will still have a’s value at slot 0, but the new implementation will interpret it as c. This can lead to catastrophic and subtle bugs.

To prevent this, developers use:

  • EIP-1967 storage slots: Standardized storage slots for proxy-related data (implementation address, admin, beacon) that are stored at predetermined, well-known locations unlikely to conflict with application storage.
  • Storage gaps: OpenZeppelin’s upgradeable contracts include gap[N] variables — empty storage reservations that can be used in future upgrades to add new variables without shifting existing ones.

Security Considerations

The proxy pattern adds significant attack surface:

  • Initialization instead of constructors: Constructor code is not included in the implementation’s runtime bytecode, so upgradeable contracts use initialize() functions instead. Forgetting to call initialize() or calling it multiple times are common bugs.
  • Self-destruct attacks: If an implementation contract is self-destructed, the proxy’s delegatecall will fail, potentially bricking the contract.
  • Selector clashes: In non-transparent proxies, function selectors in different implementations might collide, causing unexpected behavior.
  • Governance attacks: If the upgrade authority (admin/DAO) is compromised, the attacker can upgrade the implementation to a malicious version and drain all funds.

Key Considerations

  • The proxy pattern enables contract upgrades without changing addresses or losing state.
  • UUPS is the recommended standard, offering gas efficiency and simplicity.
  • Always use timelocks and multi-sig governance for upgrade authority.
  • Storage layout changes between implementations can cause catastrophic data corruption.
  • Use OpenZeppelin’s upgradeable contracts library for safe proxy implementations.
  • Consider the centralization trade-off and plan for eventual immutability.
  • Smart Contract
  • Contract Audit
  • Reentrancy Attack
  • Event Log
  • Gas Optimization

Related Terms

Smart ContractReentrancy AttackContract Audit

More Smart Contract Terms

ERC-1155ERC-20ERC-721Event LogEVM (Ethereum Virtual Machine)Gas Optimization