Smart Contract Security · Term

What is a proxy storage collision?

Upgradeable contracts use a proxy and an implementation that share storage. If their storage layouts do not line up, writing one variable corrupts another, sometimes the admin slot. Here is how.

Smart Contract Security · TermSmart Contract Audit
TL;DR

A proxy storage collision is a bug in upgradeable contracts where the proxy and its implementation disagree on the storage layout, so a variable written by one overwrites a different variable in the same storage slot. Because the proxy holds the state and delegatecalls the implementation’s code, a mismatch can corrupt critical values, including the proxy admin or owner slot, leading to takeover or bricking. The fix is standardized storage slots (EIP-1967) and disciplined, append-only storage layouts. It maps to SWC-124.

By SecureLayer7 Audit Team, Smart Contract Audit, SecureLayer7Updated

What it is

An upgradeable contract splits into a proxy (holds the storage and funds, never changes) and an implementation (holds the logic, can be swapped). The proxy delegatecalls the implementation, so the implementation’s code reads and writes the proxy’s storage.

Storage is laid out by slot number in declaration order. If the proxy and implementation declare variables in different orders or the proxy uses early slots the implementation also uses, the same slot means two different things, and writing one clobbers the other. That is a storage collision.

How it works and example

Two collision patterns:

  • Proxy vs implementation: the proxy stores its admin in slot 0, and the implementation also uses slot 0 for a normal variable. A user action that writes that variable overwrites the admin, an attacker sets themselves as admin and upgrades to malicious code.
  • Upgrade layout drift: a new implementation inserts or reorders state variables, so existing storage now maps to the wrong fields, corrupting balances or permissions.

The fix pattern (EIP-1967) puts admin/implementation in pseudo-random slots to avoid overlap. Documented for defensive context.

How to defend

  • Use standardized storage slots (EIP-1967) for admin and implementation addresses so they never collide with logic variables.
  • Use audited upgradeable proxy libraries rather than custom proxies.
  • Keep storage append-only across upgrades: never reorder or remove existing variables, only add new ones at the end (use storage gaps).
  • Run upgrade-safety checks that compare storage layouts between versions.
  • Audit every upgrade for layout compatibility, not just the logic changes.

References

  1. [1]SWC Registry: Smart Contract Weakness Classification(SWC Registry)
  2. [2]Ethereum.org: Smart contract security(Ethereum.org)
  3. [3]Solidity docs: Security considerations(Solidity)
Related terms

Common questions

Smart contract security, asked often

Shipping a contract on-chain soon?

Scope an audit

Get your smart contracts audited before they go on-chain.

Our auditors review your Solidity line by line and model the economic attacks a real adversary would run, then deliver a report your team can act on with every finding reproduced and a fix. Re-test of fixes included.

See smart contract audit30-min scoping call, fixed-price proposal in 48 hours.