What is Proxy Contract? Risks and How to Avoid Blockchain Fraud

The birth of Ethereum has established a new computing model based on the principle of immutability, where source code, once deployed to the blockchain, exists forever and cannot be changed. However, in the reality of software development, this immutability creates a major barrier to bug fixes, feature updates, and system optimization. To resolve the conflict between the immutability of blockchain and the need for software flexibility, the Proxy Contract model has been developed as a standard solution. This report, compiled by the Tan Phat Digital team, deeply analyzes the nature of Proxy Contracts, the underlying technical mechanisms, popular standards, and especially the sophisticated security risks that make end users easily fooled in real-life scenarios.

1. Core Concepts and Separation of State and Logic

Traditional smart contracts on Ethereum are a monolithic entity, where the execution code (logic) and storage space (storage) are tied to a single address. Proxy Contract breaks this structure by separating the system into two independent but closely interacting components: the Proxy contract (which holds state) and the Logic contract (which holds executable code).

This model allows maintaining a fixed address for users and front-end applications, while the underlying business logic can be replaced by changing the address pointing to the logical contract inside the proxy's memory. This creates an "illusion of variability" on an inherently immutable infrastructure.

1.1 Role of Components in Proxy Architecture

In this architecture, the Proxy contract serves as the single point of contact. All assets, Ether balances, and important state variables such as ownership and user balances are permanently stored at the Proxy's address. In contrast, a Logic contract (also known as an Implementation Contract) only contains instructions on how to process data.

The main components include:

Proxy Contract: Data storage, token balance, Implementation address and administrative rights. Has immutable address properties, but can change internal data.
Logic (Implementation): Contains the source code of business functions (for example: transfer, mint, swap). Replaceable with new versions.
ProxyAdmin: The administrative contract or wallet has the right to perform upgrades, helping to control the ability to change the entire system.

This separation brings great benefits in system maintenance. If a security vulnerability is discovered in the business logic, the developer simply deploys a new fixed logic contract and updates the address in the proxy, instead of having to ask thousands of users to move assets to a completely new address.

2. DELEGATECALL Mechanism: The Engine of the Upgrade

The technical basis that allows Proxy Contract to operate is the opcode delegatecall, introduced in EIP-7 of the Ethereum network. This is a special call that allows a contract to fetch executable code from another address but run in its own "context".

2.1 Preserving Context in EVM Execution

When the Proxy contract makes a delegatecall to the Logic contract, the transaction's environment variables are preserved intact. This means that within the Logic contract, the following values will not change compared to calling the Proxy directly:

msg.sender: Still the original user's address, not the Proxy's address.
msg.value: The amount of Ether included in the transaction is kept resource.
storage: All reads (SLOAD) and writes (SSTORE) act directly on the Proxy's storage space, not on the Logical contract.

The difference between regular calls (CALL) and DELEGATECALL is extremely important for security and functionality. system capabilities. In a CALL command, the target contract operates on its own memory and sees msg.sender as the calling contract. In DELEGATECALL, the target contract acts as a logic library loaded into the Proxy server.

2.2 Analyzing the Execution Flow through the Fallback Function

Since Proxy Contract usually does not define business functions to avoid conflicts, it uses the fallback function to receive any unknown calls. When a user calls the transfer(address,uint256) function on the Proxy, since the Proxy does not have this function, the Ethereum virtual machine (EVM) will trigger the fallback function. Here, a piece of low-level assembly code will be executed to authorize the call.

The technical process is as follows:

Use calldatacopy to copy the entire input data of the transaction into memory.
Get the address of the current Logical contract from a specified storage location.
Execute the command delegatecall with all available gas, passes in the copied data.
After the Logic contract completes execution, the result returns and the output data is copied back using returndatacopy.
The proxy returns the result to the original user, completing the delegation cycle transparently.

3. Memory Architecture and EIP-1967 Standards

One of the biggest challenges of the Proxy Pattern is managing memory collisions (Storage Collision). Since both the Proxy and the Implementation share the same Proxy's storage space, if they both try to use the same memory "slot" for different purposes, disaster will occur.

3.1 Memory Collision Risk

In Solidity, state variables are arranged into 32-byte slots in the order of declaration. Suppose Proxy declares the variable address _implementation in slot 0 to store the logical address. If the Logic contract declares the variable uint256 _balance also in slot 0, then every time the logic function updates the balance, it will accidentally overwrite its own address in the Proxy. This leads to the contract being taken over by an attacker if they can manipulate the value written to that slot.

3.2 Unstructured Storage and EIP-1967 Solution

To prevent collisions, the EIP-1967 standard was established, which defines special storage locations for Proxy administrative variables by hashing identifier strings:

https://res.cloudinary.com/dtmxgrnfn/image/upload/v1770256442/tanphatdigital/Unstructured_05022026_015402_585.webp

Subtracting 1 after hashing ensures that this slot cannot be created by normal hashing of dynamic arrays or mappings in Solidity, minimizing the probability of collisions suddenly dropped to almost zero.

See more: What is Smart Contract Audit?

4. Popular Proxy Models and Trade-off Analysis

4.1 Transparent Proxy Pattern (TPP)

This model aims to solve the "function identifier collision" problem. TPP's mechanism is based on caller decentralization: if the caller is an Admin, the Proxy only makes calls to its own administrative functions; if the caller is not an Admin, the Proxy always forwards the call to the Implementation.

4.2 Universal Upgradeable Proxy Standard (UUPS) - EIP-1822

UUPS outperforms TPP by moving the upgrade logic from the Proxy to the Implementation contract itself. Proxy is now extremely streamlined, helping to save gas because there is no need to check the Admin at the Proxy. However, if you upgrade to a new version that lacks the upgrade logic, the contract will be locked forever.

4.3 Beacon Proxy

Designed for projects that need to deploy a series of identical contracts. Proxies point to an intermediate contract called "Beacon" that holds the common Implementation address. When Beacon updates, all dependent Proxies will be upgraded simultaneously.

4.4 Diamond Standard (EIP-2535)

Diamond Standard allows one Proxy contract to connect to many different Implementation contracts (Facets). This addresses the 24KB contract size limit by splitting the logic and allowing each part to be upgraded independently.

5. Security Risks and User Deception Mechanisms

According to observations from Tan Phat Digital, users are often deceived by a false sense of security when seeing an unchanged contract address or a verified source code on block explorers.

5.1 Risks of Administration and Centralization

The biggest risk is the absolute control of the Admin. If the admin key is compromised, an attacker can perform a "Flash Upgrade" to the malicious source code to withdraw funds and then upgrade back to the old version to erase the traces.

5.2 Initialization Error (Uninitialized Proxy Vulnerability)

Since the Proxy cannot use constructor, the developer uses the initialize function. If the Admin forgets to call this function or does not protect it, an attacker can call it himself to take over Admin rights. The 2017 Parity wallet hack that froze over 500,000 ETH is a painful historical example of this bug.

5.3 Memory Conflicts and Audius Crashes

The 2022 Audius protocol hack exemplifies a memory slot error:

Before the upgrade: Slot 0 stores the initial state create (initialized = true). The contract works normally.
After upgrade: The developer adds the variable proxyAdmin to Proxy, accidentally overlapping slot 0.
Exploit: The Admin's address value causes the system to misunderstand that it has not been initialized. Hacker calls the initialize function again and takes ownership.
Damage: Hacker transfers 6 million USD tokens out of the community fund.

5.4 Concealment and Disguise Techniques

Fraudsters often name dangerous functions like safeWithdraw() but are actually a function that drains the funds. They can also only verify the Proxy's source code (which is very short and harmless) while hiding the Implementation's source code containing malicious "back doors".

6. Analysis of Typical Rug Pull Proxy Cases (2024 - 2025)

6.1 LIBRA Case and Rug Pull Evolution

The 2025 LIBRA project used the "Fragmented Rug Pull" tactic to avoid detection. Instead of one large withdrawal, the fraudster uses a proxy to distribute withdrawals to a series of satellite wallets, performing thousands of small transactions below the monitoring system's warning threshold. They then upgraded the proxy to a contract containing a selfdestruct command to wipe out the evidence.

6.2 Kinto Finance and Low-Level Proxy Vulnerabilities

In July 2025, Kinto Finance was attacked through a bug in the proxy administration mechanism. The attacker took over the upgrade rights and quickly minted an additional 110,000 unauthorized tokens, withdrawing 1.55 million USD from liquidity pools.

7. Testing and Verification Process for Users

To protect assets, Tan Phat Digital recommends that users take the following steps:

Check the Verify Proxy feature: See if Etherscan displays a "Read as Proxy" tab.
Monitor Upgraded history: If a contract upgrades too often without notice, it's a red flag. dangerous.
Verify admin rights: Admin address should be a multi-signature wallet (Multisig) or have a Timelock mechanism to delay important changes.
Use support tools: Leverage platforms like GoPlus Security or TokenSniffer to scan for signs of Honeypot or unusual Mint token rights.

8. Defense Strategy for Developers

Developers should use OpenZeppelin standard libraries and always apply the "Storage Gap" technique (create empty array uint256 private __gap;) to spare memory space. Any changes in the Implementation must be tested for memory layout compatibility through automated tools such as Hardhat Upgrades Plugin before deployment.

9. Frequently Asked Questions (FAQs)

Why use a Proxy Contract instead of deploying a new contract? Using a Proxy helps maintain a single, fixed contract address for users and integrated applications, avoiding costly data migration (migration) and requiring users to move to a new address every time there is an update or bug fix.
What is the core difference between the CALL and DELEGATECALL commands? In the CALL command, the target contract runs on its own memory. In contrast, DELEGATECALL loads the target contract's code but executes in the "context" of the calling contract, meaning it uses the memory, balance, and preserves the msg.sender of the calling contract.
Why does Transparent Proxy consume more gas than UUPS? Transparent Proxy requires checking whether the caller is an Admin or not at each transaction to decide the direction of the call (to admin or to logic). UUPS eliminates this check at the Proxy because the upgrade logic is directly in the Implementation contract.
How to identify a project using Proxy? On Etherscan, users can find the button "Is this a proxy?" or the "Read as Proxy"/"Write as Proxy" tabs. If so, it is definitely an authorization contract.
What is Storage Gap? This is a technique of placing empty arrays (e.g. uint256 private __gap;) in the base contract to reserve storage space for new variables in the future, preventing memory location jostling of legacy contracts.
What is the risk of not initializing the Proxy? If the initialize function is not called immediately after deployment, an attacker can call this function himself to become the owner of the contract and take full control.
Why can't Proxies use constructors? Because the code in constructor only runs once at the Logic contract's address when it is deployed, while the actual user state is at the Proxy's address.
What is Function Selector Clashing? This is the phenomenon of two functions having different names but having the same 4-byte identifier. Hackers can take advantage of this to trick users into calling a business function but in reality activate a dangerous admin function.
How to ensure the Proxy upgrade is safe? The project should use a multi-signature wallet (Multisig) combined with a Timelock mechanism (delay execution time) so that the community has time to test the new source code before it takes effect.
Can Proxy upgrades be disabled? Yes. Developers can upgrade to an Implementation that does not contain upgrade logic or use an admin waiver to make the Proxy a permanent immutable contract.
How is a Beacon Proxy different from a regular Proxy? Instead of each Proxy storing a Logical address, they point to an intermediary contract (Beacon). Updating the Beacon will simultaneously upgrade thousands of dependent Proxies in a single transaction.
What is the role of the ProxyAdmin contract? In OpenZeppelin's Transparent Proxy model, ProxyAdmin is an intermediary contract that takes ownership of the Proxy, helping to administer upgrades securely and separately from regular user interactions.
How to detect backdoors in Proxies? Users should check if the Implementation source code has been verified and use tools like Slither to scan for functions with onlyOwner permissions that can withdraw funds or block transactions.
What is Flash Upgrade Attack? This is an attack technique when hackers upgrade Proxy to malicious code, steal money, then immediately upgrade back to the old version in just one transaction to erase on-chain traces.
How to initialize a Proxy in the safest way? Developers should use the atomic initialization process, meaning that deploying the Proxy and calling the initialize function takes place in the same transaction to avoid being "picked on" by hackers.

Proxy Contract is an inevitable technical solution for the development of the Blockchain ecosystem. However, this flexibility also brings risks if not managed transparently. Tan Phat Digital believes that transparency in governance and user prudence are the true "immutability" that the community needs to aim for in the volatile Web3 world.