upgrade-solidity-contracts

What this skill does

# Solidity Upgrades

## Contents

- [Proxy Patterns Overview](#proxy-patterns-overview)
- [Upgrade Restrictions Between Major Versions (v4 → v5)](#upgrade-restrictions-between-major-versions-v4--v5)
- [Writing Upgradeable Contracts](#writing-upgradeable-contracts)
- [Hardhat Upgrades Workflow](#hardhat-upgrades-workflow)
- [Foundry Upgrades Workflow](#foundry-upgrades-workflow)
- [Handling Upgrade Validation Issues](#handling-upgrade-validation-issues)
- [Upgrade Safety Checklist](#upgrade-safety-checklist)

## Proxy Patterns Overview

| Pattern | Upgrade logic lives in | Best for |
|---------|----------------------|----------|
| **UUPS** (`UUPSUpgradeable`) | Implementation contract (override `_authorizeUpgrade`) | Most projects — lighter proxy, lower deploy gas |
| **Transparent** | Separate `ProxyAdmin` contract | When admin/user call separation is critical — admin cannot accidentally call implementation functions |
| **Beacon** | Shared beacon contract | Multiple proxies sharing one implementation — upgrading the beacon atomically upgrades all proxies |

All three use EIP-1967 storage slots for the implementation address, admin, and beacon.

> **Transparent proxy — v5 constructor change:** In v5, `TransparentUpgradeableProxy` automatically deploys its own `ProxyAdmin` contract and stores the admin address in an immutable variable (set at construction time, never changeable). The second constructor parameter is the **owner address** for that auto-deployed `ProxyAdmin` — do **not** pass an existing `ProxyAdmin` contract address here. Transfer of upgrade capability is handled exclusively through `ProxyAdmin` ownership. This differs from v4, where `ProxyAdmin` was deployed separately and its address was passed to the proxy constructor.

## Upgrade Restrictions Between Major Versions (v4 → v5)

**Upgrading a proxy's implementation from one using OpenZeppelin Contracts v4 to one using v5 is not supported.**

v4 uses sequential storage (slots in declaration order); v5 uses namespaced storage (ERC-7201, structs at deterministic slots). A v5 implementation cannot safely read state written by a v4 implementation. Manual data migration is theoretically possible but often infeasible — `mapping` entries cannot be enumerated, so values written under arbitrary keys cannot be relocated.

**Recommended approach:** Deploy new proxies with v5 implementations and migrate users to the new address — do not upgrade proxies that currently point to v4 implementations.

**Updating your codebase to v5 is encouraged.** The restriction above applies only to already-deployed proxies. New deployments built on v5, and upgrades within the same major version, are fully supported.

## Writing Upgradeable Contracts

### Use initializers instead of constructors

Proxy contracts delegatecall into the implementation. Constructors run only when the implementation itself is deployed, not when a proxy is created. Replace constructors with initializer functions:

```solidity
import {Initializable} from "@openzeppelin/contracts/proxy/utils/Initializable.sol";

contract MyToken is Initializable, ERC20Upgradeable, OwnableUpgradeable {
    /// @custom:oz-upgrades-unsafe-allow constructor
    constructor() {
        _disableInitializers(); // lock the implementation
    }

    function initialize(address initialOwner) public initializer {
        __ERC20_init("MyToken", "MTK");
        __Ownable_init(initialOwner);
    }
}
```

Key rules:
- Top-level `initialize` uses the `initializer` modifier
- Parent init functions (`__X_init`) use `onlyInitializing` internally — call them explicitly, the compiler does not auto-linearize initializers like constructors
- Always call `_disableInitializers()` in a constructor to prevent attackers from initializing the implementation directly
- Do not set initial values in field declarations (e.g., `uint256 x = 42`) — these compile into the constructor and won't execute for the proxy. `constant` is safe (inlined at compile time). `immutable` values are stored in bytecode and shared across all proxies — the plugins flag them as unsafe by default; use `/// @custom:oz-upgrades-unsafe-allow state-variable-immutable` to opt in when a shared value is intended

### Use the upgradeable package

Import from `@openzeppelin/contracts-upgradeable` for base contracts (e.g., `ERC20Upgradeable`, `OwnableUpgradeable`). Import interfaces and libraries from `@openzeppelin/contracts`. In v5.5+, `Initializable` and `UUPSUpgradeable` should also be imported directly from `@openzeppelin/contracts` — aliases in the upgradeable package will be removed in the next major release.

### Storage layout rules

When upgrading, the new implementation must be storage-compatible with the old one:

- **Never** reorder, remove, or change the type of existing state variables
- **Never** insert new variables before existing ones
- **Only** append new variables at the end
- **Never** change the inheritance order of base contracts

### Namespaced storage (ERC-7201)

The modern approach — all `@openzeppelin/contracts-upgradeable` contracts (v5+) use this. State variables are grouped into a struct at a deterministic storage slot, isolating each contract's storage and eliminating the need for storage gaps. Recommended for all contracts that may be imported as base contracts.

```solidity
/// @custom:storage-location erc7201:example.main
struct MainStorage {
    uint256 value;
    mapping(address => uint256) balances;
}

// keccak256(abi.encode(uint256(keccak256("example.main")) - 1)) & ~bytes32(uint256(0xff))
bytes32 private constant MAIN_STORAGE_LOCATION = 0x...;

function _getMainStorage() private pure returns (MainStorage storage $) {
    assembly { $.slot := MAIN_STORAGE_LOCATION }
}
```

Using a variable from namespaced storage:
```solidity
function _getBalance(address account) internal view returns (uint256) {
    MainStorage storage $ = _getMainStorage();
    return $.balances[account];
}
```

Benefits over legacy storage gaps: safe to add variables to base contracts, inheritance order changes don't break layout, each contract's storage is fully isolated.

When upgrading, never remove a namespace by dropping it from the inheritance chain. The plugin flags deleted namespaces as an error — the state stored in that namespace becomes orphaned: the data remains on-chain but the new implementation has no way to read or write it. If a namespace is no longer actively used, keep the old contract in the inheritance chain. An unused namespace adds no runtime cost and causes no storage conflict. There is no targeted flag to suppress this error; the only bypass is `unsafeSkipStorageCheck`, which disables all storage layout compatibility checks and is a dangerous last resort.

#### Computing ERC-7201 storage locations

When generating namespaced storage code, always compute the actual `STORAGE_LOCATION` constant. **Use the Bash tool to run the command below** with the actual namespace id and embed the computed value directly in the generated code. Never leave placeholder values like `0x...`.

The formula is: `keccak256(abi.encode(uint256(keccak256(id)) - 1)) & ~bytes32(uint256(0xff))` where `id` is the namespace string (e.g., `"example.main"`).

**Node.js with ethers**:

```bash
node -e "const{keccak256,toUtf8Bytes,zeroPadValue,toBeHex}=require('ethers');const id=process.argv[1];const h=BigInt(keccak256(toUtf8Bytes(id)))-1n;console.log(toBeHex(BigInt(keccak256(zeroPadValue(toBeHex(h),32)))&~0xffn,32))" "example.main"
```

Replace `"example.main"` with the actual namespace id, run the command, and use the output as the constant value.

### Unsafe operations

- **No `selfdestruct`** — on pre-Dencun chains, destroys the implementation and bricks all proxies. Post-Dencun (EIP-6780), `selfdestruct` only destroys code if called in the same transaction as creation, but the plugins still flag it as unsafe
- **No `delegatecall`** to untrusted contracts — a malicious target could `selfdestruct` or corrupt storage

Ad