Solidity Upgrades
Contents
Proxy Patterns Overview
| Pattern | Upgrade logic lives in | Best for |
|---|
| UUPS () | Implementation contract (override ) | Most projects — lighter proxy, lower deploy gas |
| Transparent | Separate contract | When admin/user call separation is critical — admin cannot accidentally call implementation functions |
| Beacon | Shared beacon contract | Multiple proxies sharing one implementation — upgrading the beacon atomically upgrades all proxies |
All three use EIP-1967 storage slots for the implementation address, admin, and beacon.
Transparent proxy — v5 constructor change: In v5,
TransparentUpgradeableProxy
automatically deploys its own
contract and stores the admin address in an immutable variable (set at construction time, never changeable). The second constructor parameter is the
owner address for that auto-deployed
— do
not pass an existing
contract address here. Transfer of upgrade capability is handled exclusively through
ownership. This differs from v4, where
was deployed separately and its address was passed to the proxy constructor.
Upgrade Restrictions Between Major Versions (v4 → v5)
Upgrading a proxy's implementation from one using OpenZeppelin Contracts v4 to one using v5 is not supported.
v4 uses sequential storage (slots in declaration order); v5 uses namespaced storage (ERC-7201, structs at deterministic slots). A v5 implementation cannot safely read state written by a v4 implementation. Manual data migration is theoretically possible but often infeasible —
entries cannot be enumerated, so values written under arbitrary keys cannot be relocated.
Recommended approach: Deploy new proxies with v5 implementations and migrate users to the new address — do not upgrade proxies that currently point to v4 implementations.
Updating your codebase to v5 is encouraged. The restriction above applies only to already-deployed proxies. New deployments built on v5, and upgrades within the same major version, are fully supported.
Writing Upgradeable Contracts
Use initializers instead of constructors
Proxy contracts delegatecall into the implementation. Constructors run only when the implementation itself is deployed, not when a proxy is created. Replace constructors with initializer functions:
solidity
import {Initializable} from "@openzeppelin/contracts/proxy/utils/Initializable.sol";
contract MyToken is Initializable, ERC20Upgradeable, OwnableUpgradeable {
/// @custom:oz-upgrades-unsafe-allow constructor
constructor() {
_disableInitializers(); // lock the implementation
}
function initialize(address initialOwner) public initializer {
__ERC20_init("MyToken", "MTK");
__Ownable_init(initialOwner);
}
}
Key rules:
- Top-level uses the modifier
- Parent init functions () use internally — call them explicitly, the compiler does not auto-linearize initializers like constructors
- Always call in a constructor to prevent attackers from initializing the implementation directly
- Do not set initial values in field declarations (e.g., ) — these compile into the constructor and won't execute for the proxy. is safe (inlined at compile time). values are stored in bytecode and shared across all proxies — the plugins flag them as unsafe by default; use
/// @custom:oz-upgrades-unsafe-allow state-variable-immutable
Use the upgradeable package
Import from
@openzeppelin/contracts-upgradeable
for base contracts (e.g.,
,
). Import interfaces and libraries from
. In v5.5+,
and
should also be imported directly from
— aliases in the upgradeable package will be removed in the next major release.
Storage layout rules
When upgrading, the new implementation must be storage-compatible with the old one:
- Never reorder, remove, or change the type of existing state variables
- Never insert new variables before existing ones
- Only append new variables at the end
- Never change the inheritance order of base contracts
Namespaced storage (ERC-7201)
The modern approach — all
@openzeppelin/contracts-upgradeable
contracts (v5+) use this. State variables are grouped into a struct at a deterministic storage slot, isolating each contract's storage and eliminating the need for storage gaps. Recommended for all contracts that may be imported as base contracts.
solidity
/// @custom:storage-location erc7201:example.main
struct MainStorage {
uint256 value;
mapping(address => uint256) balances;
}
// keccak256(abi.encode(uint256(keccak256("example.main")) - 1)) & ~bytes32(uint256(0xff))
bytes32 private constant MAIN_STORAGE_LOCATION = 0x...;
function _getMainStorage() private pure returns (MainStorage storage $) {
assembly { $.slot := MAIN_STORAGE_LOCATION }
}
Using a variable from namespaced storage:
solidity
function _getBalance(address account) internal view returns (uint256) {
MainStorage storage $ = _getMainStorage();
return $.balances[account];
}
Benefits over legacy storage gaps: safe to add variables to base contracts, inheritance order changes don't break layout, each contract's storage is fully isolated.
When upgrading, never remove a namespace by dropping it from the inheritance chain. The plugin flags deleted namespaces as an error — the state stored in that namespace becomes orphaned: the data remains on-chain but the new implementation has no way to read or write it. If a namespace is no longer actively used, keep the old contract in the inheritance chain. An unused namespace adds no runtime cost and causes no storage conflict. There is no targeted flag to suppress this error; the only bypass is
, which disables all storage layout compatibility checks and is a dangerous last resort.
Computing ERC-7201 storage locations
When generating namespaced storage code, always compute the actual
constant.
Use the Bash tool to run the command below with the actual namespace id and embed the computed value directly in the generated code. Never leave placeholder values like
.
The formula is:
keccak256(abi.encode(uint256(keccak256(id)) - 1)) & ~bytes32(uint256(0xff))
where
is the namespace string (e.g.,
).
Node.js with ethers:
bash
node -e "const{keccak256,toUtf8Bytes,zeroPadValue,toBeHex}=require('ethers');const id=process.argv[1];const h=BigInt(keccak256(toUtf8Bytes(id)))-1n;console.log(toBeHex(BigInt(keccak256(zeroPadValue(toBeHex(h),32)))&~0xffn,32))" "example.main"
Replace
with the actual namespace id, run the command, and use the output as the constant value.
Unsafe operations
- No — on pre-Dencun chains, destroys the implementation and bricks all proxies. Post-Dencun (EIP-6780), only destroys code if called in the same transaction as creation, but the plugins still flag it as unsafe
- No to untrusted contracts — a malicious target could or corrupt storage
Additionally, avoid using
to create contracts inside an upgradeable contract — the created contract won't be upgradeable. Inject pre-deployed addresses instead.
Hardhat Upgrades Workflow
Install the plugin:
bash
npm install --save-dev @openzeppelin/hardhat-upgrades
npm install --save-dev @nomicfoundation/hardhat-ethers ethers # peer dependencies
javascript
require('@openzeppelin/hardhat-upgrades'); // JS
import '@openzeppelin/hardhat-upgrades'; // TS
Workflow concept — the plugin provides functions on the
object (
,
,
,
,
). Each function:
- Validates the implementation for upgrade safety (storage layout, initializer patterns, unsafe opcodes)
- Deploys the implementation (reuses if already deployed)
- Deploys or updates the proxy/beacon
- Calls the initializer (on deploy)
The plugin tracks deployed implementations in
per-network files. Commit non-development network files to version control.
Use
to validate and deploy a new implementation without executing the upgrade — useful when a multisig or governance contract holds upgrade rights.
Read the installed plugin's README or source for exact API signatures and options, as these evolve across versions.
Foundry Upgrades Workflow
Install dependencies:
bash
forge install foundry-rs/forge-std
forge install OpenZeppelin/openzeppelin-foundry-upgrades
forge install OpenZeppelin/openzeppelin-contracts-upgradeable
toml
[profile.default]
ffi = true
ast = true
build_info = true
extra_output = ["storageLayout"]
Node.js is required — the library shells out to the OpenZeppelin Upgrades CLI for validation.
Import and use in scripts/tests:
solidity
import {Upgrades} from "openzeppelin-foundry-upgrades/Upgrades.sol";
// Deploy
address proxy = Upgrades.deployUUPSProxy(
"MyContract.sol",
abi.encodeCall(MyContract.initialize, (args))
);
// IMPORTANT: Before upgrading, annotate MyContractV2 with: /// @custom:oz-upgrades-from MyContract
// Upgrade and call a function
Upgrades.upgradeProxy(proxy, "MyContractV2.sol", abi.encodeCall(MyContractV2.foo, ("arguments for foo")));
// Upgrade without calling a function
Upgrades.upgradeProxy(proxy, "MyContractV2.sol", "");
Key differences from Hardhat:
- Contracts are referenced by name string, not factory object
- No automatic implementation tracking — annotate new versions with or pass in the struct
- variant skips all validation (takes addresses instead of names) — never use in production scripts
- Run or use before running scripts
Read the installed library's
for the full API and
struct.
Handling Upgrade Validation Issues
When the plugins flag a warning or error, work through this hierarchy:
- Fix the root cause. Determine whether the code can be restructured to eliminate the concern entirely — remove the problematic pattern or refactor storage. This is always the right first step.
- Use in-code annotations if the situation is genuinely safe. If restructuring isn't appropriate and you've determined the flagged pattern is actually safe, the plugins support annotations that let you document that judgment directly at the source. Check the installed plugin's docs for what's available. These annotations create a clear audit trail of intentional exceptions — use them only after evaluating the safety, not as a shortcut.
- Use a narrow flag if an annotation won't work. Some cases (e.g., a third-party base contract you can't modify) can't be addressed in source. Use the most targeted flag available, scoped to the specific construct.
- Broad bypass as a last resort, with full awareness of the risk. Options like (Foundry) or blanket entries skip all validation for the affected scope. If you use them, comment why, and verify manually — the plugin is no longer protecting you.
Upgrade Safety Checklist