Proxion: Uncovering Hidden Proxy Smart Contracts for Finding Collision Vulnerabilities in Ethereum

TL;DR

Proxion tackles the blind spots of prior proxy-detection tools by employing dynamic EVM emulation and bytecode analysis to identify proxy contracts without source code or transaction history. It then traces associated logic contracts and performs collision checks for both function and storage dimensions, using Slither when source code is available and opcode-based extraction when not. The approach achieves high coverage on tens of millions of Ethereum contracts, uncovers millions of proxy-logic pairs, and reveals substantial collision risk across major actors, with accuracy that surpasses state-of-the-art methods. This work significantly improves the security visibility of upgradeable proxies, enabling safer interaction with and governance of Ethereum smart contracts at scale.

Abstract

The proxy design pattern allows Ethereum smart contracts to be simultaneously immutable and upgradeable, in which an original contract is split into a proxy contract containing the data storage and a logic contract containing the implementation logic. This architecture is known to have security issues, namely function collisions and storage collisions between the proxy and logic contracts, and has been exploited in real-world incidents to steal users' millions of dollars worth of digital assets. In response to this concern, several previous works have sought to identify proxy contracts in Ethereum and detect their collisions. However, they all fell short due to their limited coverage, often restricting analysis to only contracts with available source code or past transactions. To bridge this gap, we present Proxion, an automated cross-contract analyzer that identifies all proxy smart contracts and their collisions in Ethereum. What sets Proxion apart is its ability to analyze hidden smart contracts that lack both source code and past transactions. Equipped with various techniques to enhance efficiency and accuracy, Proxion outperforms the state-of-the-art tools, notably identifying millions more proxy contracts and thousands of unreported collisions. We apply Proxion to analyze over 36 million alive contracts from 2015 to 2023, revealing that 54.2% of them are proxy contracts, and about 1.5 million contracts exhibit at least one collision issue.

Figures (6)

• Figure 1: An example of proxy and logic smart contracts. The proxy contract's delegate call forwards the call data to the upgraded logic contract.
• Figure 2: The accumulated number of alive Ethereum smart contracts till 31 October 2023. Prior works only cover about 18% of smart contracts with source code (blue and orange) bodell2023proxy or 53% of smart contracts with past transactions (orange and green) ruaro2024not, while Proxion also applies to the hidden contracts without source code or past transactions (red).
• Figure 3: Proxion identifies proxy smart contracts in two steps. First, Proxion disassembles the tested contract's bytecode into opcodes. Contracts without a DELEGATECALL opcode (e.g., ➊) are not proxies. Second, Proxion executes the tested contract under an emulated EVM with carefully created transaction call data. If this data is not forwarded to another contract in the emulated EVM, the contract is not a proxy (e.g., ➋) and vice versa (e.g., ➌). Proxion then identifies the associated logic contracts of the identified proxy contract.
• Figure 4: Accumulated number of pairs of proxy and logic contracts identified by Proxion from 2015 to 2023. In the vast majority of them, the proxy contracts only have bytecode available.
• Figure 5: Most contracts are duplicates: only $96,420$ and $38,707$ unique proxy and logic contracts, respectively. (\ref{['subfig:unique-proxy']}): three proxy contracts are duplicated more than 1 million times. (\ref{['subfig:unique-logic']}): two logic contracts have the same bytecode with more than ten thousand other contracts.