Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

Not so Immutable: Upgradeability of Smart Contracts on Ethereum

  • Conference paper
  • First Online:
Financial Cryptography and Data Security. FC 2022 International Workshops (FC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13412))

Included in the following conference series:

Abstract

A smart contract that is deployed to a blockchain system like Ethereum is, under reasonable circumstances, expected to be immutable and tamper-proof. This is both a feature (promoting integrity and transparency) and a bug (preventing security patches and feature updates). Modern smart contracts use software tricks to enable upgradeability, raising the research questions of how upgradeability is achieved and who is authorized to make changes. In this paper, we summarize and evaluate six upgradeability patterns. We develop a measurement framework for finding how many upgradeable contracts are on Ethereum that use certain prominent upgrade patters. We find 1.4 million proxy contracts which 8,225 of them are unique upgradeable proxy contracts. We also measure how they implement access control over their upgradeability: about 50% are controlled by a single Externally Owned Address (EOA), and about 14% are controlled by multi-signature wallets in which a limited number of persons can change the whole logic of the contract.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    “Upgradeability Is a Bug”, Steve Marx, Medium, Feb 2019.

  2. 2.

    https://compound.finance.

  3. 3.

    https://github.com/compound-finance/compound-protocol/blob/v2.3/contracts/InterestRateModel.sol.

  4. 4.

    https://uniswap.org.

  5. 5.

    “Expectations for backwards-incompatible changes / removal of features that may come soon.” V. Buterin, Reddit r/ethereum, Mar 2021.

  6. 6.

    Specifically: \(\textsf{addr} \leftarrow \mathcal {H}(\texttt{0xff} \Vert \textsf{factoryAddr} \Vert \textsf{salt} \Vert \mathcal {H} (\textsf{initBytecode} \Vert \textsf{initBytecodeParams}))\).

  7. 7.

    “The Promise and the Peril of Metamorphic Contracts.” 0age, Medium, Feb 2019.

  8. 8.

    https://archivenode.io/.

  9. 9.

    https://github.com/palkeo/panoramix.

  10. 10.

    https://opensea.io.

  11. 11.

    https://etherscan.io/address/0xb45d6c0897721bb6ffa9451c2c80f99b24b573b9.

  12. 12.

    0xd23cfffa066f81c7640e3f0dc8bb2958f7686d1f.

  13. 13.

    https://certik.com.

  14. 14.

    Storage slot 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103.

  15. 15.

    https://gnosis-safe.io/.

References

  1. Bent update. Technical report, Bent Finance. https://bentfi.medium.com/bent-update-12ae69a41dc6

  2. Contract upgrade anti-patterns. Technical report, Trail of Bits. https://blog.trailofbits.com/2018/09/05/contract-upgrade-anti-patterns/

  3. The state of defi security 2021. Technical report, Certik Company. https://blog.openzeppelin.com/the-state-of-smart-contract-upgrades/

  4. Buterin, V.: Delegatecall forwarders: how to save 50–98 contracts with the same code. https://www.reddit.com/r/ethereum/comments/6c1jui/delegatecall_forwarders_how_to_save_5098_on/

  5. Chen, J., Xia, X., Lo, D., Grundy, J.: Why do smart contracts self-destruct? investigating the selfdestruct function on ethereum. ACM Trans. Softw. Eng. Methodol. (TOSEM) 31(2), 1–37 (2021)

    Article  Google Scholar 

  6. Chen, T., et al.: An adaptive gas cost mechanism for ethereum to defend against under-priced DoS attacks. In: Liu, J.K., Samarati, P. (eds.) ISPEC 2017. LNCS, vol. 10701, pp. 3–24. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72359-4_1

    Chapter  Google Scholar 

  7. Dhillon, V., Metcalf, D., Hooper, M.: The DAO hacked. In: Blockchain Enabled Applications, pp. 67–78. Apress, Berkeley, CA (2017). https://doi.org/10.1007/978-1-4842-3081-7_6

    Chapter  Google Scholar 

  8. Fröwis, M., Böhme, R.: Not all code are Create2 equal. https://informationsecurity.uibk.ac.at/pdfs/FB-Ethereum-Create2.pdf

  9. He, N., Wu, L., Wang, H., Guo, Y., Jiang, X.: Characterizing code clones in the ethereum smart contract ecosystem. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 654–675. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_35

    Chapter  Google Scholar 

  10. McCorry, P., Buckland, C., Yee, B., Song, D.: Sok: Validating bridges as a scaling solution for blockchains. Cryptology ePrint Archive (2021)

    Google Scholar 

  11. Murray, P., Welch, N., Messerman, J.: Minimal proxy contract. EIP-1167 (2018)

    Google Scholar 

  12. Ortner, M., Eskandari, S.: Smart contract sanctuary. https://github.com/tintinweb/smart-contract-sanctuary

  13. PALLADINO, S.: The state of smart contract upgrades. https://blog.openzeppelin.com/the-state-of-smart-contract-upgrades/

  14. Perez, D., Gudgeon, L.: Dissimilar redundancy in defi. arXiv preprint arXiv:2201.12563 (2022)

  15. Perez, D., Livshits, B.: Broken metre: attacking resource metering in EVM. arXiv preprint arXiv:1909.07220 (2019)

  16. Pinna, A., Ibba, S., Baralla, G., Tonelli, R., Marchesi, M.: A massive analysis of Ethereum smart contracts empirical study and code metrics. IEEE Access 7, 78194–78213 (2019)

    Article  Google Scholar 

  17. Reijsbergen, D., Sridhar, S., Monnot, B., Leonardos, S., Skoulakis, S., Piliouras, G.: Transaction fees on a honeymoon: Ethereum’s eip-1559 one month later. In: 2021 IEEE International Conference on Blockchain (Blockchain), pp. 196–204. IEEE (2021)

    Google Scholar 

  18. Rodler, M., Li, W., Karame, G.O., Davi, L.: \(\{\)EVMPatch\(\}\): timely and automated patching of ethereum smart contracts. In: 30th USENIX Security Symposium (USENIX Security 21), pp. 1289–1306 (2021)

    Google Scholar 

  19. Salehi, M., Clark, J., Mannan, M.: Not so immutable: Upgradeability of smart contracts on ethereum. Technical report, arXiv (2022)

    Google Scholar 

  20. Victor, F., Lüders, B.K.: Measuring ethereum-based ERC20 token networks. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 113–129. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_8

    Chapter  Google Scholar 

  21. Walch, A.: The path of the blockchain lexicon (and the law). Rev. Bank. Fin. L. 36, 713 (2016)

    Google Scholar 

Download references

Acknowledgements

Our measurements were possible thanks to https://archivenode.io/. We thank Santiago Palladino (OpenZeppelin) and the reviewers for comments and discussions that helped to improve our paper. J. Clark acknowledges support for this research project from the National Sciences and Engineering Research Council (NSERC), Raymond Chabot Grant Thornton, and Catallaxy Industrial Research Chair in Blockchain Technologies and the AMF (Autorité des Marchés Financiers). J. Clark and M. Mannan acknowledge NSERC through Discovery Grants.

Author information

Authors and Affiliations

  1. Concordia University, Montreal, Canada

    Mehdi Salehi, Jeremy Clark & Mohammad Mannan

Authors
  1. Mehdi Salehi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jeremy Clark
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohammad Mannan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mehdi Salehi .

Editor information

Editors and Affiliations

  1. Georgetown University, Washington, DC, USA

    Shin'ichiro Matsuo

  2. Imperial College London, London, UK

    Lewis Gudgeon

  3. Cornell University, Ithaca, NY, USA

    Ariah Klages-Mundt

  4. Imperial College London, London, UK

    Daniel Perez Hernandez

  5. Imperial College London, London, UK

    Sam Werner

  6. The Australian National University, Canberra, ACT, Australia

    Thomas Haines

  7. Western University, London, ON, Canada

    Aleksander Essex

  8. University of Stirling, Stirling, UK

    Andrea Bracciali

  9. University of Trento, Trento, Trento, Italy

    Massimiliano Sala

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Financial Cryptography Association

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Salehi, M., Clark, J., Mannan, M. (2023). Not so Immutable: Upgradeability of Smart Contracts on Ethereum. In: Matsuo, S., et al. Financial Cryptography and Data Security. FC 2022 International Workshops. FC 2022. Lecture Notes in Computer Science, vol 13412. Springer, Cham. https://doi.org/10.1007/978-3-031-32415-4_33

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-32415-4_33

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-32414-7

  • Online ISBN: 978-3-031-32415-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation