Key Considerations for the Security Review of Upgrades

Ensuring the security of a contract upgrade requires a focused review process tailored to the unique risks that upgrades introduce. While it may seem tempting to focus only on the newly added code, this approach is insufficient.

A thorough security review must consider all state variables affected by the upgrade and re-examine any previously deployed code these changes interact with. Even if the original code was reviewed before deployment, revisiting it ensures that no hidden vulnerabilities are exposed by the upgrade.

Below are actionable tips to guide a comprehensive security review of your upgraded contract:

1. Confirm Compatibility with Existing Functionality

  • Test for Backward Compatibility: Verify that all previously supported functions and interfaces behave as expected.

  • Check Dependent Contracts: Ensure contracts or systems interacting with the upgraded contract remain functional.

2. Assess Changes to Storage Layout

  • Validate Storage Consistency: If using a proxy pattern, confirm that storage layout changes do not introduce corruption.

  • Use Tools: Employ tools like OpenZeppelin's storage layout comparison to identify potential mismatches.

3. Review New and Modified Code

  • Audit New Logic: Scrutinize any newly introduced functionality for vulnerabilities or design flaws.

  • Verify Fixes: Confirm that updates addressing previously identified vulnerabilities do not introduce new issues.

  • Revisit Touched Code: Reassess previously reviewed code that interacts with updated state variables or new logic to ensure the upgrade doesn't expose vulnerabilities in older code.

  • Review State Migration Scripts: Examine any scripts or mechanisms used for migrating state to ensure correctness and prevent corruption or unintended consequences.

4. Conduct Thorough Tests on Testnets

  • Simulate Real-World Scenarios: Test the upgraded contract in environments similar to mainnet.

  • Integration Tests: Ensure smooth interactions with other contracts and off-chain systems.

5. Review Documentation

  • Upgrade Notes: Include detailed descriptions of changes made in the upgrade.

  • Migration Plans: Document the state migration process and any data transformations required.

6. Involve External Security Researchers

  • Expert Review: Engage third-party security researchers to evaluate the upgrade.

  • Independent Testing: Ensure researchers independently verify your internal findings.

PreviousHandling State Migration in a Secure WayNextOngoing Operations

Last updated