UPC Sentinel: An Accurate Approach for Detecting Upgradeability Proxy Contracts in Ethereum
Amir M. Ebrahimi, Bram Adams, Gustavo A. Oliva, Ahmed E. Hassan
TL;DR
UPC Sentinel provides a robust three-layer framework for detecting upgradeability proxy contracts (UPCs) on Ethereum directly from contract bytecode, combining dynamic proxy detection with static/dynamic upgradeability analyses and pattern-level classification. Evaluated on two ground-truth datasets, it achieves near-perfect recall and precision (GE ≈99% recall; GB with perfect precision and ≈99.3% recall), outperforming the USCHUNT baseline in multiple settings. The approach derives three bytecode-level Upgradeability Reference Designs (SMUP, ESUP, DUP) to cover major UPC patterns, and offers fine-grained classification into specific proxy patterns, enabling precise auditing and research into DApp maintenance practices. The work highlights the value of bytecode-centric UPC detection for open- and closed-source contracts and discusses practical considerations, limitations, and avenues for extending the method to inactive UPCs and broader data sources.
Abstract
Software applications that run on a blockchain platform are known as DApps. DApps are built using smart contracts, which are immutable after deployment. Just like any real-world software system, DApps need to receive new features and bug fixes over time in order to remain useful and secure. However, Ethereum lacks native solutions for post-deployment smart contract maintenance, requiring developers to devise their own methods. A popular method is known as the upgradeability proxy contract (UPC), which involves implementing the proxy design pattern (as defined by the Gang of Four). In this method, client calls first hit a proxy contract, which then delegates calls to a certain implementation contract. Most importantly, the proxy contract can be reconfigured during runtime to delegate calls to another implementation contract, effectively enabling application upgrades. For researchers, the accurate detection of UPCs is a strong requirement in the understanding of how exactly real-world DApps are maintained over time. For practitioners, the accurate detection of UPCs is crucial for providing application behavior transparency and enabling auditing. In this paper, we introduce UPC Sentinel, a novel three-layer algorithm that utilizes both static and dynamic analysis of smart contract bytecode to accurately detect active UPCs. We evaluated UPC Sentinel using two distinct ground truth datasets. In the first dataset, our method demonstrated a near-perfect accuracy of 99%. The evaluation on the second dataset further established our method's efficacy, showing a perfect precision rate of 100% and a near-perfect recall of 99.3%, outperforming the state of the art. Finally, we discuss the potential value of UPC Sentinel in advancing future research efforts.