All About Proxy Contracts

Maybe you’ve heard of a proxy contract, and folks might have told you that it is dangerous, or that you “can’t trust them”. Who or why would anyone use a proxy contract? Does it go against the ethos of web3? Is it actually that dangerous? In this article we seek to answer these questions and share some other important information regarding proxy contracts and address how you should think about and treat them, as a normal web3 user. Let’s jump in!

But First, What Even is a Proxy Contract?

Normally, contracts on Ethereum are immutable, meaning that they can’t be upgraded once they are deployed. After all, blockchains are generally defined as an “immutable public ledger”, but devs can sidestep these limitations using the proxy contract model. A proxy contract sends (or delegates) all of its functionality to another smart contract, called the implementation contract. 

The implementation contract itself (the contract that contains all the code that “does stuff”) can later be changed out or “upgraded” as needed. Devs simply deploy another version of the implementation contract to the blockchain and update the proxy contract to send all of the requests received to the second implementation contract (diagram below). An example of one such request might be to transfer an asset like a token or NFT. 

A good analogy for a proxy contract would be buying a piece of land. The piece of land acts as the proxy contract, delegating all the useful functions to the house itself, where the owners are free to switch out the roof, remodel the kitchen, etc. However, no matter how much you remodel, or put an entire new house on the property, the address doesn't change!

Projects That Use Proxy Contracts

Are proxy contracts dangerous? Should you buy into NFT projects that use proxy contracts? What about marketplaces, tokens, or even DeFi protocols? Before we answer those questions, let’s take a look at a couple example proxy contracts in the wild:

10KTF - This smart contract is perhaps one of the most notable NFT smart contracts that utilizes this proxy contract model to allow upgradability. They can upgrade their contracts to integrate features like wallet delegation, enforce royalties, or apply new primitives/standards. 

USDC - One of the largest stablecoins, USDC, also employed the proxy contract model. In fact, they go into their reasons and the implementation in their 2020 blogpost entitled “Upgrading a multi-billion dollar ERC-20 token”. They poignantly articulated their worries in this sentence from the aforementioned post: “USDC market capitalization had grown to $1.4 billion at the time of the upgrade and our careers were on the line — no one wanted to go down in history as the developer that set a billion dollars on fire.”.

Blur - Blur is an NFT Marketplace that utilizes proxy contracts in virtually all of its deployed smart contracts, minus the $BLUR token contract. This can be dangerous because users have already approved assets to the proxy address, and now a new implementation contract has the ability to pull those assets from user wallets. If the new Blur implementation contract has bugs,hundreds of thousands of NFTs approved to the Blur proxy contract would be at risk. Scammers could drain wallets of their NFTs, spelling game-over for the NFT market; this is an extremely unlikely doomsday scenario, safeguards like circuit breaker functions, contract audits, and white hat hackers would likely stop an attack before it happened.

Compound Finance - While it is unclear what the governance surrounding upgrading Blur and 10KTF are, since they are private companies it is safe to say that it's perhaps not as rigorous (and certainly not as transparent!) as those found in more mature DAOs. One notable example is Compound Finance, a DeFi lending platform with $1B+ in TVL; it is known to be incredibly security-minded. Its governance process, for example, doesn’t allow updates to the protocol unless there is at least a 1 week lead time minimum, and this is enforced by code.

Why Do Projects Use Them?

Although there are a lot of nuanced reasons to use proxy contracts, the main reasons are:

• Upgradability: This is the primary reason. The implementation contract can be upgraded without affecting the proxy contract or users. Projects don’t want to lose users by requiring  them to re-approve already existing assets, migrate funds, etc. Users aren’t affected by implementation contract upgrades because the proxy contract only stores the address of the implementation contract, not its code. So, users can continue to interact with the proxy contract as usual, even if the implementation contract has been upgraded.
   
• Conceal Future Features: Maybe the team plans to add features to the contract over time, but aren’t ready to make them public. They can simply roll out the features over time and not have to build placeholder methods that point to other contracts. Proxy contracts are an easy way to suddenly release new features for blockchain projects.
   
• Accommodate For the Future: Although alluded to, nobody knows what the future holds for crypto. Maybe a hot new asset type or NFT will need to be handled in a special way on Blur. Maybe new features and primitives will be developed. For example, Cryptopunks were released before the  ERC-721 standard, and depend on a 3rd party “wrapper contract” in order to be traded on marketplaces like Opensea. This is because the ERC-721 standard didn’t exist when cryptopunks were released. Crypto projects would like to avoid having multiple contract versions because they fracture liquidity for DeFi and complicate provenance for NFTs. Had they been using a proxy contract, Cryptopunks could have just upgraded it to account for this change (in theory)! 

Most of these reasons seem like different ways of saying the same thing, but the differences are nuanced. For some projects, having the exact same contract address for their utility or project isn’t necessary; their users might interact with the contract only through a specific UI or website.Unless their users employ smart contract bookmarks (a security strategy taught in our NFT Security 101 class), they’d be none the wiser! But other projects might need  provenance of their token collection and uniformity of their tokens.! 

How to Tell if a Contract is a Proxy Contract

There are two main ways to tell if something is a proxy contract. Of course there are all kinds of blockchain analysis tools, but we recommend Etherscan for most folks.

Method 1: First, navigate to the contract in Etherscan. For this example, we’re going to use a proxy contract we often reference in our NFT Security 102 class examples, Helix.

Go to the Contract tab. You’ll see two buttons that you won’t see on most contracts, the “Write as Proxy” and the “Read as Proxy” buttons.

A screenshot of a contract that has been identified to the Etherscan Team as a Verified Proxy.

Use the “Write as Proxy” button to interact with proxy contracts if you ever need to.

Method 2: The other way to recognize a proxy is when Etherscan says it is a proxy, but the developer hasn’t explicitly chosen to make the aforementioned buttons available in Etherscan. Instead, there will be a little banner across the Contract page that looks like this, stating that it “may” be a proxy contract:

A contract that Etherscan believes is a proxy, but the developer hasn’t confirmed or submitted it to Etherscan as such.

Risks to Using Proxy Contracts

So now that you know something is a proxy contract, what are the risks to users? We alluded to some of them in the Projects that use Proxy Contracts section, but let's outline them below.

1. The developer’s deployment/admin wallet could get compromised allowing a malicious update to be deployed: There have been countless examples of some of the most competent devs, including one of the most infamous core devs of the Bitcoin protocol, LukeDashJr, getting their wallet compromised. Bad actors can use a proxy contract deployer address to effectively destroy the whole collection, or worse.
   
    
2. The developer could go rogue and deploy a malicious update: Although most rogue devs tend to just steal treasuries and run (this is what crypto calls rugpulls), they could do even more damage by maliciously upgrading a proxy contract. They could steal all assets approved to it using a drainer implementation contract or they could add functions like an admin burn function which could even steal tokens that have already been “sent” to user’s wallets!
   
    
3. The developers could update a contract and introduce a bug: Just recently Sushiswap deployed a bugged version of its contract. Attackers used the bug to drain $3.3M from the wallets of prominent crypto figures and regular Sushiswap users who used the platform at that time. Although Sushiswap was NOT using a proxy contract, it would have been much worse if they were. A bugged contract upgrade would have meant that anyone who had ever made an approval on Sushiswap would be vulnerable to this same bug! Hackers would have been able to steal funds from anyone who made token approvals on Sushiswap. This would have likely been the biggest DeFi exploit in 2023, had that been the case!
    

For an exchange, not  using the proxy contract model makes sense; it lets users and institutions who are a little more cautious wait out any potential issues that new users might face after an update. Using a proxy contract to upgrade the implementation contract means all users are subject to new risks  to every token they’ve previously approved unless they revoke that approval.

Recommendations

Aside from understanding the risks associated with using proxy contracts, there are a few general rules of thumb to follow when you encounter one in the wild:

1. Be extra cautious of NFT contracts that request approvals for assets that are outside their ecosystem. (But don’t stress too much if not).

For example, you are part of an NFT project that has a proxy contract deployed for its collection. If that same collection then asks for an approval for your ApeCoin or Wrapped Ethereum, it should be treated as higher risk. Blur is often cited as an “unavoidable” example of this, as we stated earlier, since Blur only uses proxy contracts. 

1. When approving NFTs or ERC-20 tokens, especially to marketplaces or exchanges, check if something is a proxy contract before you do.

Whenever I use a new marketplace or DEX, I like to check this, and try and figure out if they have talked about why they use a proxy contract, or how they protect and audit new deployments before updating new implementations. 

1. Revoke approvals to unused or inactive proxies (or all contracts for that matter) using services like Revoke.cash or Approvals.xyz

Inactive projects, especially those with anonymous founders, might try to use your approvals against you by deploying code to a new implementation contract with code to allow them to take control of approved tokens. To avoid this possibility, always keep your approvals clean, remember to set spending caps for approvals, and perform routine audits of them to keep unnecessary approvals out of your wallet!

Conclusion

Proxy contracts aren’t all bad, and honestly in most projects, particularly those using them for their own means, within their own ecosystem or tokens, it's a perfectly sensible way to ensure the long-term viability of your project! It will help to stay current with new ERC standards, trends, and to be able to seamlessly integrate new primitives like Wallet Delegation. However, using them reduces the predictability, and ever important and memetic immutability that blockchain users have grown accustomed to over the years. 

Ultimately, the decision of whether or not to use proxy contracts is up to the user and what they are comfortable with. In most cases, proxy contracts are a perfectly sensible way to ensure the long-term viability of a project. However, in cases involving exchanges or marketplaces (Blur, Opensea, etc), where updates should be rare, using proxy contracts may not be appropriate.

Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join us in our discord at https://discord.gg/boringsecurity .