Immutable in Principle, Upgradeable by Design: Exploratory Study of Smart Contract Upgradeability

Smart contracts are computer programs that auto-execute agreements when certain conditions are satisfied. Smart contracts are mostly deployed on a blockchain network, enabling the execution of the contract to be secure and transparent  wang2019blockchain ; buterin2014next ; sayeed2020smart ; mohanta2018overview ; wang2018overview . Many blockchain platforms support smart contracts, such as Hyperledger Fabric androulaki2018hyperledger , Corda brown2016corda , and Ethereum buterin2013ethereum . This paper focuses on the smart contracts deployed on Ethereum due to the platform’s open-source architecture and community. Ethereum is an open-source platform, meaning the underlying code and protocols are publicly available. Moreover, it has a large active community that supports researchers and developers with smart contracts.

Ethereum runs its deployed smart contracts on the Ethereum Virtual Machine (EVM), a low-level stack machine that executes the compiled bytecode of the smart contract buterin2013ethereum . Each operation in Ethereum requires a certain amount of computational effort, measured by gas. Gas is required for every operation in Ethereum, whether the operation is a transaction or the execution of a smart contract instruction. Some instructions are gas-intensive, such as instructions that utilize replicated storage. Gas metering prevents the sender from wasting computational power in executing unnecessary computation-intensive transactions. Moreover, it limits the number of instructions a transaction can execute, preventing non-terminating executions and DoS attacks.

Smart contracts in Ethereum are developed in many languages, such as Solidity, Vyper, and Bamboo. In this study, we target Solidity smart contracts, the most popular smart contract programming language clack2016smart . The Solidity language is an object-oriented language deployed on the EVM. In addition to Ethereum, several blockchain platforms support Solidity, including Quorum, Hyperledger Burrow, and Hyperledger Besu. Solidity has syntax similar to C and JavaScript, but it includes several unique concepts specific to smart contracts, including: visibility of function modifiers; internal, external, view; emitted events; and smart contract-specific operations such as self-destruct and revert.

We focus on Solidity contracts as there are more than 44 million Solidity contracts deployed on the Ethereum network. Additionally, Solidity supports libraries, which are useful for implementing reusable code in smart contracts. This might be beneficial in upgradeable smart contracts, as libraries can be modified and updated without requiring the redeployment of the entire contract.

In smart contracts, upgradeability refers to the process of modifying smart contract code after deployment while maintaining the contract data and state  antonino2022specification ; salehi2022not . Upgrading smart contracts has two benefits: (i) it provides a mechanism to improve contract security by fixing security issues and bugs discovered post-deployment, and (ii) it enables developers to add new features and functionality over time antonino2022specification ; salehi2022not .

In the context of smart contracts, upgradeability and mutability (ability to change) are different. Since smart contracts are immutable by design, their code cannot be changed once deployed. However, the smart contract community proposed several mechanisms to upgrade the contract, such as deploying a new smart contract and directing user requests to the new one instead of the previous one.

The proxy pattern is a well-known method where users interact with a proxy contract, not directly with the business logic contract. The proxy contract holds data and forwards user requests to the designated smart contract version. When an upgrade is necessary, a new contract is deployed, and its address is updated in the proxy contract as the target version, as shown in Figure 1. This approach allows for the seamless transition between contract versions without disrupting the user experience. Variants of this pattern include the Diamond Proxy and Universal Upgradeable Proxy Standard (UUPS), which maintain the core proxy concept but differ in their storage and code structure handling. The Diamond Proxy, for instance, allows for multiple logic contracts (facets) to be used simultaneously, providing greater flexibility and modularity.

The data separation pattern is another upgrading approach. It involves two contracts: one for storage and the other for business logic. Unlike the proxy pattern, users interact directly with the business logic contract, which interacts with the storage contract. This separation ensures that data remains intact and secure, even as the logic contract is upgraded or modified. The storage contract is a consistent data layer accessible only by authorized contract versions, ensuring data integrity and security.

Other upgrading alternative approaches include the strategy pattern and the data migration approach. The strategy pattern allows for the dynamic changing of algorithms or processes within a contract by separating the contract into interchangeable modules. The data migration approach involves transferring data from an older contract to a newer version. This process can be complex but allows for significant contract structure and logic changes.

In our study, we focus on the upgrading approaches introduced by the Ethereum community. We apply inclusion and exclusion criteria to select suitable approaches for this empirical study, as discussed in Section 3.3.

In our study, we integrate data from two sources, which are Ethereum ETL,⁶⁶6https://ethereum-etl.readthedocs.io/en/latest/ and Etherscan.⁷⁷7https://etherscan.io

Ethereum ETL is a public Ethereum data explorer that enables users to explore blockchain data such as blocks and transactions. All the data is published as a Google BigQuery dataset.⁸⁸8https://bigquery.cloud.google.com/dataset/bigquery-public-data:crypto_ethereum The Ethereum ETL dataset includes details about blocks, transactions, and smart contracts. Ethereum ETL configures nodes to synchronize data with the Ethereum blockchain, where these data are updated regularly. We extract from the dataset smart contract metadata such as smart contract address, bytecode, and the contract creator address.

To obtain more details about the smart contract, such as the contract’s source code and the contract’s activity level, we use Etherscan, an Ethereum explorer. The data on Etherscan is updated in real-time, as it syncs with nodes configured on the Ethereum network. Based on each contract’s address extracted from Ethereum ETL, we query Etherscan for the contract address and extract the contract’s source code and activity level, if available. There are unverified smart contracts in Etherscan, which means that the developer didn’t provide the source code of the smart contract. In this study, we do not consider these smart contracts.

To answer the research questions, we preprocess the collected smart contracts data as follows:

• •

  Remove comments and white spaces: This helps in reducing the size of collected data and normalizing these data by removing any inconsistencies in structure and format.

• •

  Reformat multi-file smart contracts: Smart contracts can be coded using one or multiple files. As we are comparing different versions of the smart contracts, it is essential to have each smart contract in a single file. For this purpose, we merge files and remove imports within files for multi-file smart contracts.

We collected 44M deployed smart contracts. For each smart contract, we collected the following metadata: the smart contract address, the contract creator address, the timestamp, the compiler version, and the solidity version. Moreover, we collected from Etherscan the contract source code, where available, and the number of received transactions.

To answer RQ1, in our study on the prevalence of upgradeable smart contracts, we specifically focus on analyzing patterns that are widely recognized within the Ethereum,⁹⁹9https://ethereum.org/en/developers/docs/smart-contracts/upgrading/ and OpenZeppelin¹⁰¹⁰10https://blog.openzeppelin.com/the-state-of-smart-contract-upgrades communities. We focus our analysis on patterns that offer clear, identifiable code and storage structures, enabling straightforward identification and differentiation. We exclude approaches that do not align with our criteria for systematic analysis. This includes ad-hoc upgrading methods such as Contract Migration, which often depend on manual interventions and lack clear distinguishable patterns in contract code. Similarly, we excluded the Data Separation approach due to its minimal prevalence and adoption by the community, representing only 0.0007% of the collected data salehi2022not . Furthermore, We also omitted generic patterns focused more on design principles, like the Strategy Pattern, for their lack of direct relevance to upgradeable smart contracts.¹¹¹¹11https://blog.openzeppelin.com/the-state-of-smart-contract-upgrades#strategy-pattern These exclusions are based on their limited relevance to our research objective that aims to shed light on common practices of upgradeability in smart contracts.

Accordingly, this work focuses on approaches that exhibit unique code features that enable us to establish differentiation criteria from other approaches (patterns). Notably, we concentrate on the family of proxy patterns that includes the Universal Upgradeable Proxy Standard (UUPS) and Diamond (EIP-2535), which exemplify the current best practices in smart contract upgradeability. These approaches are identifiable by specific features in their code, allowing us to establish policies that differentiate them from other approaches.

To detect upgradeable proxy contracts, we identify a set of policies that distinguish it from the other techniques. These policies include a combination of regular expressions specific to the upgrade pattern and its code structure. For example, the presence of delegatecall is indicative of a proxy pattern that can be detected using a simple regular expression. However, not all proxy contracts are upgradeable contracts; forward proxy contracts are used to direct requests to other contracts and not to upgrade a smart contract. To distinguish these two types, it is necessary to analyze the code structure. Upgradeable proxy contracts usually include methods to upgrade the contract address, as shown in Listing 1. In contrast, the forward proxy does not have this method, and the requests are delegated to a fixed contract address, as shown in Listing 2.

Our analysis covers a range of key standards proposed by the Ethereum Improvement Proposals (EIP),¹²¹²12https://eips.ethereum.org and OpenZeppelin¹³¹³13https://www.openzeppelin.com communities. These standards detail the technical requirements necessary for upgradeable contracts and establish a unified terminology for our analysis. Moreover, this allows us to identify and describe the different upgradeability methods systematically. By focusing on these recognized patterns and standards, our study seeks to provide a detailed overview of current practices in upgradeable proxy contract approaches. Accordingly, this paper concentrates on the following approaches:

• •

  EIP-897: DelegateProxy Araoz_Izquierdo_2018 is a standard interface to facilitate interactions with various proxy types. It explicitly differentiates between two proxy types: forwarder proxies, which primarily act as relays to other contracts, and upgradeability proxies, which are designed to enable the evolution of contract logic over time.

• •

  ERC-1538 : Transparent Contract Standard Mudge_2018 introduces a transparent way to manage smart contract upgrades. It focuses on enabling the addition, removal, and modification of functions within a contract in a manner that is clear and traceable. This standard emphasizes transparency in contract upgrades, ensuring that changes are understandable and auditable, thereby enhancing the maintainability and adaptability of contracts over time.

• •

  EIP-1967: Proxy Storage Slots Palladino_Giordano_Croubois_2019 addresses the necessity of a standardized approach for tracking proxy contracts and their corresponding logic contract addresses. The lack of a common interface for accessing this information had previously been a barrier to develo** tooling for proxies. EIP-1967 responds to this need by specifying distinct storage slots within a proxy’s storage, aiming to streamline the identification and management of both the logic contract and the proxy’s administrative control. EIP-1967 introduces two distinct types of storage slots for proxies: Proxy Logic Storage Slots and Proxy Beacon Storage Slots. The Proxy Logic Storage Slots are utilized to store the address of the logic contract that the proxy delegates call to. This standardization facilitates the easy location and updating of the logic contract in a proxy setup. On the other hand, Proxy Beacon Storage Slots are employed in Beacon Proxy patterns. They store the address of a beacon contract, which in turn points to the logic contract. This method allows for the simultaneous upgrading of multiple proxy contracts by updating a single beacon contract.

• •

  EIP-1822: Universal Upgradeable Proxy Standard (UUPS) Barros_Gallagher_2019 enhances the developer experience by incorporating upgradeability directly into the logic contract. Unlike other upgradeability patterns where the proxy contract triggers updates, the UUPS allows the logic contract to initiate its own upgrade. This inversion of control not only streamlines the upgrade process but also provides developers with the option to remove upgradeability features in future iterations.

• •

  EIP-2535: Diamonds or Multi-Facet Proxy Nick_2020 presents a flexible, efficient approach for smart contract development. Unlike traditional single logic contract proxies, ERC-2535 allows a smart contract to use multiple logic contracts, known as facets, enabling a more modular and extensible structure. This design allows for adding, replacing, or removing functionalities (facets) without deploying a new contract.

• •

  The OpenZeppelin Proxy Pattern OpenZeppelin_2018 reflects one of the initial efforts in addressing the challenges of proxy contract development, such as function selector clashes. OpenZeppelin, a pioneer in this domain since 2017, proposed this pattern to mitigate the issues that arise when a proxy and its logic contract have overlap** function signatures. The pattern facilitates call delegation to the logic contract based on the caller’s status, distinguishing between administrative calls and regular user interactions. This distinction ensures that only non-admin calls are delegated, while admin calls are handled directly by the proxy or are rejected if the function does not exist.

We designed policies derived from the official standards specifications and utilized the Evm-Proxy-Identification tool,¹⁴¹⁴14https://github.com/CaiJiJi/evm-proxy-detection/ a well-known tool for detecting proxy contracts. However, due to the API constraints of the tool, we developed an independent proxy detection mechanism. This mechanism is based on the storage slots or unique identifiers (regular expressions) used in the standards, mirroring the approach followed by the Evm-Proxy-Identification tool. Figure 1 presents a flowchart of the process for identifying different upgradeable proxy contracts. If a proxy contract does not align with the identified types, we categorize it as Other Upgradeable Proxy Contract to ensure comprehensive classification within our analysis, as shown in Figure 3. Additionally, Table 1 lists the distinct storage slots or identifiers associated with each proxy type and their label in the flow chart.

After identifying upgradeable proxy contracts, we statistically analyze how prevalent upgradeable proxy contracts are and what is the most commonly used upgrading pattern. By the end of this step, we have a list of upgradeable contracts, their address, and upgrading patterns.

There is no guarantee that all upgradeable contracts will be modified and upgraded. RQ2 aims to analyze how likely an upgradeable contract is to be upgraded. Hence, we trace historical versions of each upgradeable smart contract, identified in RQ1, to answer this research question. We trace versions by analyzing the logs and events of the upgradeable contracts. The logs and historical blocks for each upgradeable contract are obtained from the Ethereum ETL dataset. We identify the upgrade request (if available) from these logs and save the new version address and details. For instance, some upgradeable contracts emit events with new contract addresses whenever there is a new upgrade for the smart contract. In these cases, we trace all the emitted events for the smart contract and extract the old and new version addresses. Figure 4 shows a sample of emitted events when a contract is upgraded obtained from Etherscan.

Tracing the historical versions of smart contracts poses significant challenges, particularly in the context of event tracing. It is essential to acknowledge that upgrading event signatures vary and are influenced by the specific upgrade strategy employed. Moreover, not all contracts adhere to standard names for upgrading events. These variations in event naming conventions and signatures further complicate the tracing process. For example, a slight alteration in the upgrade event signature can lead to entirely different event hashes, rendering event tracing susceptible to discrepancies.

To address these challenges, we conducted a preliminary study to assess the existing event naming conventions, including those provided in standards such as the Diamond proxy pattern. We aimed to capture the event signatures commonly emitted when a smart contract is upgraded and understand the diversity of the signatures developers employ. We examined a random sample of 5,000 upgradeable proxy contracts and initially identified 15 potential upgrade-related events. Then we excluded six events from our analysis, as they were deemed irrelevant for tracing upgrade events and were primarily associated with unrelated activities. The remaining nine events considered for this study are:

• •

  Upgraded(address)

• •

  NewImplementation(address, address)

• •

  ProxyUpdated(address, address)

• •

  FunctionUpdate(bytes4, address, address, string)

• •

  Upgraded(uint256, address)

• •

  TargetUpdated(address)

• •

  ImplementationUpdated(address)

• •

  NewImplementation(bytes32, bytes32, address)

• •

  ImplChanged(address, address)

These identified events facilitated tracing smart contract versions within proxy contracts and mapped them to the identified upgradeable proxies in RQ1. As a result, we have compiled a comprehensive dataset of upgradeable proxy contracts, their corresponding upgraded smart contract versions, and the upgrades they have undergone.

The objectives of RQ3 are to identify and analyze the specific modifications undertaken in smart contract upgrades. This study explores how traditional software maintenance classifications, such as corrective and perfective, apply to smart contracts. The study seeks to ascertain and analyze the reflection of these established maintenance activities in the domain of smart contracts. In RQ3, we consider three post-upgrade changes of smart contracts: fixing vulnerabilities (corrective), feature modification (perfective), or optimizing gas cost (perfective). Identifying adaptive maintenance (updates necessitated by environmental shifts) and preventive maintenance (mitigating future issues) is not directly analyzed in this study due to inherent difficulties associated with its application and identification chen2021maintenance . Modifications that might otherwise fall under the adaptive or preventive categories or do not align with the aforementioned three post-upgrade changes are thus categorized under an “other” classification. In this step, we use the smart contract versions from RQ2 to analyze the root cause of their upgrade.

To identify the changes in post-upgrades, it is necessary to find the code changes in each smart contract version (upgrade). For code change detection between the identified smart contract versions (from RQ2), we use Git diff,¹⁵¹⁵15https://git-scm.com/docs/git-diff a popular and powerful tool that is well-suited for comparing different code versions.

The Git-diff tool results help us locate the code changes for each upgrade. We analyze any security issues in the old and new versions to conclude whether the upgrade was to fix vulnerabilities. This analysis includes using SmartBugs ferreira2020smartbugs to detect vulnerabilities in smart contract versions. SmartBugs framework¹⁶¹⁶16https://github.com/smartbugs/smartbugs offers a wide range of security tools that cover different aspects of smart contract security, from static and dynamic analysis to formal verification and optimization. Using the combination of these tools enables us to analyze smart contract security.

Furthermore, we analyze whether there was gas optimization in the new versions of the contract. In this step, we estimate and compare the gas cost of the contract versions. The gas cost includes the gas fees for contract deployment and contract methods.

We follow these steps to identify the post-upgrade changes:

1. 1.

   Locate changes between smart contract versions. To identify the changes, we used the Git diff tool.

2. 2.

   Run the smartBugs tool on both versions of the smart contract to detect any security vulnerabilities. If there is a security vulnerability in the first version that was not found in the second version, mark it as a bug fix.

3. 3.

   Identify any changes that were made between the two versions that do not address a security vulnerability. If the second version added lines of code that do not fix a bug, mark it as a new feature. Else if there were lines or functions removed without fixing any vulnerabilities in the code label it as a deleted feature.

4. 4.

   Compare the gas costs of both versions of the smart contract. If the gas cost has decreased in the second version, mark it as a gas optimization.

5. 5.

   For any modifications that do not fall into the categories of bug fix, new feature, deleted feature, or gas optimization, label these as “other.”

Algorithm 1 demonstrates the labeling process of post-upgrade changes based on the above steps.

To analyze the impact of upgrading the contract on its usage (RQ4), we use the received transaction numbers for each version to get insight into the activity level. The transaction number is exported from the data collected from Etherscan. Since smart contract versions can have different lifespans, it is necessary to analyze the contract’s activity level while considering its lifespan. The contract version lifespan is measured from when the contract was deployed until a new version was created. The age or lifespan is measured using the following equation:

where $V_{a}$ is the target version for which we want to calculate the lifespan $\mbox{\em lifespan}(V_{a})$, $V_{a+1}$ is the next version, and $DT(V)$ is the deployment time of version $V$. If $V_{a}$ is the latest version, we consider the collection date instead of $DT(V_{a+1})$ as the end of the deployment period. To answer RQ4, we use a regression model with transaction numbers as the dependent variable and version lifespan as an independent variable. By including version lifespan in the model, we control for any differences in activity level due to the different lifespan of smart contract versions. Initially, we consider a linear regression model to examine if a linear relationship exists between the transaction count and the version lifespans. The equation can represent the linear regression model:

where $\beta_{0}$ is the intercept, $\beta_{1}$ is the coefficient for the independent variable representing the Version lifespan, and $\epsilon$ represents the error term of the model.

In our analysis, recognizing that a linear relationship might not adequately capture the complexities of our data, we have considered the application of random forest regression, a more complex machine learning model that uses an ensemble of decision trees to make predictions. We conduct an exploration of random forest regression to assess its effectiveness in our context. This technique allows us to capture non-linear relationships and interactions between variables that a simple linear model may overlook. The random forest model does not have a simple equation like linear regression, as it is based on multiple decision trees that collectively contribute to the final prediction. To assess the performance of our models (linear and random forest), we use the Mean Squared Error (MSE) and the R-squared (R²) score. The MSE is calculated as:

where $y_{i}$ is the observed value, $\hat{y}_{i}$ is the predicted value by the model, and $n$ is the total number of observations in the dataset. The R-squared score, represented as:

where $\bar{y}$ is the mean of the observed values. The R² score measures the proportion of the variance in the dependent variable that is predictable from the independent variable(s). An R² score closer to 1 indicates that the model explains a large portion of the variance in the dependent variable.

Based on the calculated activity levels, we analyze the impact of upgrading on the activity levels of different versions of the contract.

Figure LABEL:fig:RQ1A presents a dual donut chart delineating the distribution of smart contract types in a dataset of 44 million contracts, focusing on upgradeable proxy contracts. The smaller donut chart categorizes these contracts into three distinct groups: Non-Proxy Contracts, Non-Upgradeable Proxy Contracts, and Upgradeable Proxy Contracts. The larger donut chart focuses on the Upgradeable Proxy Contracts segment, which provides insight into the distribution of different upgradeable standards mentioned in Section 3.3.

Delving into specific instances, the Proxy Logic Storage Slots (EIP-1967) line presents an intriguing narrative. Initially, it shows a substantial presence, followed by a period of decline. This dip could indicate shifts in technology adoption, perhaps due to the emergence of more efficient or versatile proxy solutions. Concurrently, there is an uptick in the adoption of UUPS (EIP-1822), suggesting a possible correlation. This period also coincides with the introduction of the Diamond Proxy (EIP-2535), which may have influenced the usage dynamics of other proxies. However, it is worth noting that the decline in the usage of EIP-1967 was temporary, as there was a subsequent increase in its adoption. Interestingly, during this phase, EIP-1822 experienced a decrease in its usage, which could be due to the simplicity and efficiency of EIP-1967, which might have regained favor over EIP-1822. The Diamond Proxy (EIP-2535) trend remains relatively stable throughout the observed period. This stability indicates a consistent, albeit niche, adoption. On the other hand, Delegate Proxy (EIP-897), one of the earliest introduced approaches, shows a trend of not being widely adopted over time. Its relatively low and stagnant usage suggests it may not have kept pace with evolving technological demands.

In early 2018, when upgradeable proxy contracts were first introduced, there was no recorded use of them, highlighting their initial absence in the smart contract landscape. This period marked the beginning of an exploration into more flexible smart contract mechanisms beyond the traditional immutable contracts.

Following their introduction, the percentage of deployed upgradeable proxy contracts began to increase, indicating a growing interest and recognition of their potential benefits. This uptick in adoption showcased the development community’s initial steps towards embracing the flexibility that upgradeable proxies offered for smart contract development. The trend toward adopting upgradeable proxy contracts consistently rose from 2019 through the end of 2021. Despite experiencing fluctuations during this period, which likely reflected the community’s ongoing experimentation and assessment of upgradeable proxies, the overall direction was clear: a steady move towards greater adoption. These fluctuations were part of the natural process of integrating new technology into existing practices as developers weighed the advantages of upgradeability against the foundational principles of blockchain technology.

Starting in 2022, the adoption of upgradeable proxy contracts witnessed a significant increase. This shift was marked by a broader recognition within the smart contract development community of the strategic importance of upgrading and improving smart contracts post-deployment. The surge in adoption during this period demonstrates a maturation in the understanding of upgradeable proxies, driven by the need for smart contracts to remain adaptable in the face of technological, regulatory, and operational changes. This phase underscores a pivotal movement towards prioritizing the adaptability and future-proofing of smart contract deployments.

[linewidth=1pt, linecolor=black] RQ1. How prevalent are upgrading patterns in smart contracts?

To address RQ2, we focused on the number of smart contracts that were upgraded at least two times, based on the events discussed in Section 3.4.

The table shows interesting patterns about the upgrade strategies of these top five proxies: Proxies \seqsplit0x62faa8937f71b4896f9b250f675ff89a5f6875cc, \seqsplit0xb5c9985dc029b37d756938745760747b62ff46f9, and \seqsplit0x2f6081e3552b1c86ce4479b80062a1dda8ef23e3 show a high degree of uniqueness in their versions. The close correlation between the number of versions and the number of unique implementations suggests that most versions introduced are distinct, reflecting a strategy of consistent and diverse upgrades. On the other hand, proxies \seqsplit0x31946680978cefb010e5f5fa8b8134c058cba7dc and \seqsplit0x1920d646574e097c2c487f69f40814f95d45bf8c display a different trend, with a significant portion of their versions being duplicates. This indicates a more conservative approach where certain versions are reused, possibly due to their stability or specific functionality that suits the contract’s needs over time.

Figure 7 presents a comparison trend analysis between the deployment of upgradeable proxy contracts and the progression of smart contract versions over time, utilizing a dual-axis approach due to the significant numerical difference between the two datasets. The x-axis represents the timeline by quarters, illustrating the progression over several years. The primary y-axis on the left, colored in red, represents the count of upgradeable proxy contracts. A secondary y-axis on the right, highlighted in blue, details the count of smart contract versions. As in Figure LABEL:fig:RQ1B, the last quarter’s data was scaled due to incomplete data.

Initially, the figure illustrates a period where the number of upgradeable proxy contracts is very low, correlating with an absence of smart contract versions. This early stage reflects the foundational need for upgradeable proxies to facilitate contract upgrades, making the initial scarcity of versions expected, given the minimal deployment of upgradeable proxies. As the timeline progresses, both trends begin to exhibit a parallel increase. The rise in upgradeable proxy contracts, after a certain lag period, is followed by an increase in the number of smart contract versions. This sequence underscores the process wherein enhancements and modifications to smart contracts, captured as versions, are inherently linked to the availability and use of upgradeable proxies. The observed lag between these increases is a natural aspect of the development cycle, accounting for the time required to implement, test, and deploy contract upgrades.

A specific observation in the period after mid-2021 shows a temporary decline in the deployment of upgradeable proxy contracts. Interestingly, this does not lead to an immediate decrease in smart contract versions. Instead, an increase in versions is recorded, likely in response to the preceding rise in upgradeable proxies. This demonstrates the delayed effect of proxy deployment on contract versioning, highlighting the time-dependent nature of contract upgrades in response to earlier increases in upgradeable proxies.

The final drop observed in the number of smart contract versions towards the end of the period analyzed can be attributed to a reduction in the number of deployed contracts. This observation might initially suggest a decrease in activity or interest. However, this decrease could reflect a recurring pattern seen in previous periods, where specific months showed a similar drop in deployment data. Such patterns indicate that the observed decline might not signify a long-term decrease in smart contract deployments. Instead, it could represent cyclical or seasonal variations in contract creation activities, suggesting a normal fluctuation rather than a diminishing trend in the development and deployment of smart contracts.

[linewidth=1pt, linecolor=black] RQ2. How likely is an upgradeable contract to be upgraded?

RQ3 aims to identify post-upgrade changes in smart contracts and categorize them as fixing vulnerabilities, gas optimization, feature modification, or others.

Figure LABEL:fig:RQ3 is a radar chart representing upgrade patterns’ distribution in two datasets: All Versions and Smart Contracts Versions with Source Code. It has four axes, each corresponding to a different post-upgrade change category. The axes start from a common central point and extend outward, equally spaced. The values are represented as percentages of the total counts in each category. Each dataset is plotted as a closed loop, forming a shape visually representing each pos-upgrade change’s relative emphasis. The All Versions dataset is represented in blue, which includes all smart contract versions identified in RQ2. The Smart Contracts Versions with Source Code dataset is in red, focusing on only smart contract versions with available source codes.

[linewidth=1pt, linecolor=black] RQ3. What Changes Occur in Smart Contracts Post-Upgrade?

As discussed in Section  3.6, we employed a regression model to evaluate the relationship between contract upgrades (versions) and usage (transaction numbers). In this model, transaction numbers were set as the dependent variable, while the version lifespan was the independent variable. This approach aimed to account for variances in activity levels attributable to the different lifespans of smart contract versions.

However, the model’s fit to the data, as indicated by the Mean Squared Error (MSE) and the R² Score, was less than ideal. The MSE was quite high at $3813.33$, and the R² Score was $-0.03$, suggesting that the linear model did not adequately capture the relationship between the variables. The negative R² score is particularly telling, as it implies that the model may not be the best fit for this dataset or it fails to account for other influential factors.

Figure 8 displays the relationship between actual and predicted transaction numbers using a Linear Regression model. In this plot, the x-axis represents the actual transaction numbers, while the y-axis denotes the predicted transaction numbers by the model. A dashed line across the plot symbolizes perfect prediction accuracy, where the predicted values exactly match the actual values. The scatter points illustrate the correlation between the Linear Regression model’s predictions and the actual transaction numbers. The proximity or dispersion of these points from the dashed line indicates the model’s accuracy, with a closer alignment suggesting higher accuracy and a broader spread indicating variance.

A notable observation from Figure 8 is the wide spread of scatter points around the dashed line, indicating a significant variance between the Linear Regression model’s predictions and the actual transaction numbers. This spread reflects the model’s performance, as quantified by its Mean Squared Error (MSE) and R² Score, underscoring that the predictive accuracy of the Linear Regression model is not optimal. Moreover, a concentration of points around the y = 0 line suggests a trend where the model’s predictions tend to be consistently close to zero. This phenomenon indicates potential issues with the model’s performance. When numerous data points align closely with the y = 0 line, it may signify either an oversimplified model incapable of capturing the intricacies of the data, or the presence of features that inadequately represent the underlying patterns. Moreover, such clustering around y = 0 could highlight a data imbalance, where a significant portion of the target variable has values close to zero.

Hence, to thoroughly assess these possibilities, we address the first possibility by implementing a more complex model, specifically a Random Forest, to evaluate whether there is any improvement in predictive performance. This approach allows us to explore whether the increased complexity of the model can better capture the underlying patterns in the data and lead to more accurate predictions.

Figure 9 showcases the outcomes using a Random Forest model, a non-linear approach to prediction. The axes are defined similarly to Figure 8, with the actual transaction numbers on the x-axis and the predicted numbers on the y-axis. The presence of the dashed line continues to represent the goal of perfect prediction accuracy. The scatter points in Figure 9 are similar to those in Figure 8. They illustrate the correlation between the model’s predictions and the actual transaction numbers.

In Figure 9, the scatter points exhibit a wide distribution around the dashed line, indicating a significant variance between the model’s predictions and the actual transaction numbers. Notably, there are more points clustered around or in close proximity to the dashed line compared to Figure 8. While this may suggest relatively better performance for the regression model in terms of capturing certain trends, the substantial spread of points highlights the model’s inability to accurately predict transaction numbers across the entire dataset. These results, especially the improved performance of the Random Forest model, imply a more complex relationship between contract versions, their age, and the total number of transactions than what a simple linear model can capture. However, the concentration of points around the y = 0 line is similar to the previous model, which also prompts consideration of other potential factors such as data imbalance. Since a large proportion of contracts in the dataset have only one transactions, this concentration may be influenced by such data imbalance and the presence of other confounding factors.

To explore these possibilities further, we focused on the top 20 proxy contracts with the highest total transactions, as shown in Table 4. This approach aims to examine whether distinct patterns emerge among the most active contracts that could be better captured by our models.

In analyzing the top 20 proxy contracts, linear and Random Forest regression models were again employed, as shown in Figure 10. Figure 10 consists of two subfigures illustrating the performance of different models in predicting transaction numbers for the top 20 proxy contracts. Subfigure 10(a) displays the relationship between actual and predicted transaction numbers using a linear regression model, while Subfigure 10(b) shows the relationship for the random forest model. Similar to Figure 8, the x-axis represents the actual transaction numbers, while the y-axis denotes the predicted transaction numbers by the model.

The performance of these models was only moderately successful in explaining the variance in transaction numbers. The Random Forest model, in particular, showed a slight performance improvement, indicating some level of non-linear relationship but still pointing towards unaccounted factors influencing contract activity. However, the fact that a substantial portion of variance remains unexplained suggests that there are other factors influencing transaction numbers that are not included in the model. These could be factors intrinsic to the nature of smart contracts, user behaviors, market conditions, or other external variables not accounted for in the current model.

[linewidth=1pt, linecolor=black] RQ4. How does smart contract upgrading impact the activity level of the contract?

Based on the analysis of the prevalence of upgradeable smart contracts in RQ1, We analyzed the community discussions about these standards to reason about the adoption of one standard compared to others. We observed that only three standards, Diamond (EIP-2535), Proxy Storage Slots (EIP-1967), and OpenZeppelin, remain actively used. The transparent standard (EIP-1538) was withdrawn with subsequent modification, and the Diamond standard was introduced, indicating a refinement in upgradeable contract approaches. Meanwhile, UUPS (EIP-1822) and EIP-897 standards are stagnant, having not seen significant activity in the past six months. From the official discussion of the UUPS (EIP-1822) standard,¹⁷¹⁷17https://ethereum-magicians.org/t/eip-1822-universal-upgradeable-proxy-standard-uups/2842/30 we also identified a security concern that revolves around the proxiableUUID mechanism. This mechanism is designed to ensure compatibility between a proxy and its implementation contracts by utilizing a unique identifier. The core of the security issue lies in the potential for proxies to mimic the logic intended for implementation contracts, thereby creating a vulnerability during the upgrade process. This vulnerability poses significant risks, such as creating loops of recursive delegation that never reach actual implementation logic, leading to gas depletion and failed transactions. Moreover, it might result in the execution of unintended or malicious logic, compromising contract integrity and potentially leading to the irreversible loss of contract functionality and assets. This security concern is likely a contributing factor to the observed decline in UUPS (EIP-1822) usage shown in Figure LABEL:fig:RQ1B. The discussion of this issue was in March 2021, and its alignment with the pattern’s decline in the figure strongly suggests a correlation between the security concerns and the reduced adoption of this standard in mid-2021.

From the results of RQ1 in Figure LABEL:fig:RQ1A, we focused on a subset of smart contracts whose proxy types are Other upgradeable proxy contract, aiming to classify and understand their underlying structures. We identified three uniform patterns among a subset of these contracts through a detailed analysis:

• •

  CErc20Delegator: Identified in 571 contracts, this pattern is part of the Compound protocol and is unique for its detailed constructor, which initializes DeFi-specific parameters (such as the underlying asset, interest rate models, and initial exchange rates) and sets the implementation contract. The contract emits a NewImplementation event when a contract is upgraded, including the old and new addresses of the contract.

• •

  Proxyable/ProxyERC20: Designed for ERC20 token upgradeability, this pattern extends the Owned contract (for ownership and access control management) and is marked as ‘payable.‘ The constructor of this contract type ensures that the contract cannot be instantiated directly, enhancing its security. The TargetUpdated event is used to signal updates to the proxy’s target, providing transparency for contract upgrades. This pattern was found in 19 contracts from the Other upgradeable proxy contract category.

• •

  Custom Proxy Contracts on Polygon: This proxy, appearing in 31 contracts, features a ProxyUpdated event and suggests the deployment of custom proxy contracts on the Polygon network. Although they align with ERC-897’s DelegateProxy pattern, they are recognized under a distinct interface, IERCproxy.

The findings from RQ2 reveal that only 0.34% of upgradeable smart contracts are actually upgraded after deployment. This observation challenges the presumed advantage of upgradeability, highlighting a disparity between theoretical capabilities and their application in practice. Two primary factors could explain this phenomenon: the contracts might be of high initial quality due to thorough auditing and testing before deployment, or the complexity and risks associated with upgrading might deter their application.

Firstly, the high initial quality of these smart contracts can be attributed to rigorous auditing and testing procedures prior to deployment. Auditing involves a detailed examination of the contract’s code by security experts to identify potential vulnerabilities, while testing, encompassing both automated and manual methods, ensures the contract operates as intended under various scenarios. This scrutiny level helps minimize the need for future upgrades by ensuring the contract is as secure and functional as possible from the outset. This perspective aligns with the industry’s growing emphasis on comprehensive audit practices for smart contracts, recognizing the critical importance of security in decentralized finance (DeFi) and other blockchain applications.

On the other hand, the complexity and inherent risks of the upgrade process itself could prevent developers and contract owners from initiating upgrades. Upgrading a smart contract involves technical challenges, such as ensuring compatibility with existing functionalities and managing the contract’s state during the transition, as well as operational risks. Moreover, every new code deployment risks introducing unforeseen vulnerabilities, making the upgrade process a cautious endeavor that requires meticulous planning, testing, and auditing similar to the initial deployment.

Furthermore, the impact of upgrades on the quality of smart contracts is nuanced. While the ability to upgrade allows for the correction of flaws, adaptation to new requirements, and introducing improvements, it also introduces a layer of uncertainty. Each upgrade carries the potential to enhance the contract’s functionality and security but also risks compromising its integrity if not carefully executed. Therefore, the decision to upgrade involves weighing the benefits of improved functionality and security against the risks of introducing new vulnerabilities and the operational complexities involved in the upgrade process.

Based on the results from RQ3, we investigated the relationship between the availability of source code and the upgrade frequency of smart contracts. Our analysis divides smart contracts into two groups based on source code availability, leading to a comparative study of how this factor influences the evolutionary trajectory of these contracts.

Contracts with available source code exhibit a higher mean number of versions than those without. Specifically, the mean version count for contracts with accessible source code is approximately 2.71. In contrast, contracts with no available source code have a lower mean version count, around 2.00. This statistical disparity highlights the difference in upgrade frequency and suggests a broader trend toward more dynamic development cycles in open-source contracts. This pattern reflects the broader benefits of open-source practices, including enhanced community engagement, increased transparency, and a more iterative approach to development. These factors collectively contribute to a more responsive development ecosystem for smart contracts, underlining the importance of source code availability in fostering the growth and security of blockchain technologies.

Our study aimed to investigate the relationship between smart contracts version activity level, measured by total transactions, and their upgrade frequency. Since there is no linear relationship between the number of transactions and the age of the contract, we focused on comparing the upgrade intervals of the most actively used contracts with those less active. This approach was intended to identify if activity level influences upgrade practices, as we have noticed many smart contract updates within minutes. We divided the proxy contracts into two groups for analysis: the top 20 proxies by transaction volume and the remaining proxies, excluding the latest version of each, to consider only complete upgrade cycles. The top 20 proxies demonstrated an average upgrade interval of approximately 609 days (20.3 months), while the remaining proxies had a shorter interval of about 521 days (17.4 months).

This differential suggests that more actively used contracts are upgraded less frequently. This could imply that high transaction volumes lead to a preference for stability and reduced upgrade frequency, possibly due to the complexities of updating heavily used systems. Alternatively, it might reflect a strategic decision to minimize disruptions in high-stake environments.

The empirical findings shed light on the “to upgrade or not to upgrade” dilemma faced by the smart contract community. This dilemma is rooted in the contrast between blockchain’s foundational principle of immutability and the practical need for adaptability to address evolving requirements and unforeseen vulnerabilities. The finding that only 3% of smart contracts are designed as upgradeable proxy contracts suggests a cautious approach within the community toward embracing upgradeability. This caution may arise from concerns over the complexities and potential risks associated with managing upgradeable contracts, such as introducing new vulnerabilities and the operational challenges of executing upgrades, though the exact reasons are not definitively known.

Furthermore, the observation that a small percentage of these upgradeable contracts have undergone upgrades at least twice underscores a broader hesitancy to utilize the upgrade capability, even when technically feasible. This hesitancy could indicate a preference for stability and predictability over the potential benefits of iterative improvements. The low frequency of upgrades among upgradeable contracts hints at apprehensions about the impacts of such changes, potentially including technical risks and implications for user trust and contract reliability.

This scenario reveals a complex landscape in blockchain development, where decisions around making a smart contract upgradeable and subsequently acting on this capability involve weighing multiple considerations. Developers and stakeholders seem to navigate a delicate balance between addressing critical vulnerabilities, adapting to new requirements, and maintaining the trust and integrity of smart contract immutability. The balance between pursuing innovation and ensuring stability is central to the upgrade dilemma, reflecting wider challenges in the evolution of blockchain technologies and their applications.

A significant concern in our study is the limitations associated with using automated tools for detecting vulnerabilities. These tools could potentially produce false positives or miss vulnerabilities, impacting the accuracy of our findings. We have implemented robust filtering strategies to mitigate this and applied majority rules in our analysis. This approach is designed to minimize the occurrence of false positives.

Another threat to internal validity stems from identifying and categorizing smart contracts and their versions. While our approach does not involve manual labeling, which could introduce subjective biases, there remains a possibility of inaccuracies in the automated identification and classification process. We have extensively tested and validated each step of our methodology to counter this risk. This testing serves not only as a check on the accuracy of our processes but also as a validation of the methods themselves. It provides us with confidence in the applicability of our findings, ensuring that our conclusions are based on reliable and correctly categorized data.

Moreover, when detecting upgradeable proxy contracts, there is a risk of incorrect identification, which could impact our results. To mitigate this, we have used a well-known EVM proxy detection tool as a base for our detection mechanism. This tool is recognized for its accuracy and reliability in identifying proxies, reducing the risk of misclassification. Moreover, we analyzed the standard description for each proxy type to identify the unique characteristics of each standard and incorporate it within our detection method to ensure more precise identification of upgradeable proxy contracts, thereby minimizing errors in classification.

Our study focuses on Ethereum smart contracts, which may limit our findings’ generalizability to other types of smart contracts or blockchain platforms. While the study aimed not to generalize all smart contracts but to provide insights into the impact of upgrading on contracts’ security, we acknowledge this limitation. The thorough testing of sample data ensures a solid foundation for our conclusions within the scope of Ethereum-based contracts.

Additionally, our study specifically focuses on the proxy pattern among upgradeable smart contracts, acknowledging that other patterns exist but are not the focus of our research. We have excluded other types as they do not exhibit unique characterization to distinguish them. Moreover, some types have minimal prevalence, such as data separation, which represents only 0.0007 % of the dataset. Threats to validity may arise from the limited scope of our study, as we only consider the proxy pattern among upgradeable smart contracts due to its significant role and the concentrated attention it receives within the smart contract development community. Moreover, focusing on proxy patterns allows for a more detailed and impactful analysis of the most commonly employed upgrade techniques in the Ethereum platform. However, this narrow focus may limit the generalizability and applicability of our findings to other patterns or platforms.