What are the main security risks of using an upgradeable proxy pattern for a smart contract, and how do you mitigate them?

technical-conceptual · Mid level · software-engineering, blockchain-web3

What the interviewer is really asking

Assesses whether the candidate understands the delegatecall-based proxy threat model — storage collisions, unprotected upgrade authority, uninitialized implementations — and the concrete defenses, rather than just knowing proxies 'allow upgrades'.

What to say

What to avoid

Example answers

Strong: A proxy delegatecalls into a logic contract, so the logic executes against the proxy's storage and whoever can change the implementation pointer controls all the funds — that authority is the real attack surface. The classic bugs are storage collisions, where a new implementation reorders state variables and corrupts balances; unprotected or single-key upgrade functions; and proxies left uninitialized that an attacker initializes to grab ownership. I'd keep storage append-only with gaps or ERC-7201 namespacing, put the upgrade behind a multisig and timelock, disable initializers in the implementation constructor and initialize atomically, and diff the storage layout before every upgrade.

Weak: Proxies just let you ship fixes without redeploying, so the main thing is to put onlyOwner on the upgrade function. As long as the owner key is safe you're basically fine, and you can lay out storage however reads cleanest in each version.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.