Overview
Proxy and upgrade patterns are ubiquitous in modern DeFi — UUPS, Transparent Proxy, Beacon, and Diamond (EIP-2535). Each introduces unique vulnerabilities around delegatecall, storage layout collisions, and unprotected upgrade functions. ChainProof currently has no coverage for these patterns.
Vulnerability Patterns to Detect
1. Storage Slot Collision
// Proxy.sol
contract Proxy {
address public implementation; // slot 0
// Implementation.sol
contract Implementation {
address public owner; // also slot 0 — COLLISION
}
2. Unprotected _authorizeUpgrade
function _authorizeUpgrade(address newImpl) internal override {} // empty body
3. Uninitialized Implementation Contract
initialize() callable by anyone on the implementation directly — attacker sets themselves as owner, then calls selfdestruct. (Parity hack pattern)
4. delegatecall to User-Controlled Address
function execute(address target, bytes calldata data) external {
target.delegatecall(data); // attacker supplies malicious target
}
5. Function Selector Clashing (Diamond Proxy)
Two facets registering the same 4-byte selector, causing one to shadow the other.
Detection Approach
- Identify proxy patterns via storage variable naming heuristic
- Detect delegatecall to non-constant address
- Check _authorizeUpgrade and upgradeTo for access control guards
- Detect storage layout conflicts by enumerating slot 0 in proxy vs implementation
- Flag uninitialized implementation contracts
Acceptance Criteria
References
Overview
Proxy and upgrade patterns are ubiquitous in modern DeFi — UUPS, Transparent Proxy, Beacon, and Diamond (EIP-2535). Each introduces unique vulnerabilities around delegatecall, storage layout collisions, and unprotected upgrade functions. ChainProof currently has no coverage for these patterns.
Vulnerability Patterns to Detect
1. Storage Slot Collision
2. Unprotected _authorizeUpgrade
3. Uninitialized Implementation Contract
initialize() callable by anyone on the implementation directly — attacker sets themselves as owner, then calls selfdestruct. (Parity hack pattern)
4. delegatecall to User-Controlled Address
5. Function Selector Clashing (Diamond Proxy)
Two facets registering the same 4-byte selector, causing one to shadow the other.
Detection Approach
Acceptance Criteria
References