The Dark Side of Upgrades: Uncovering Security Risks in Smart Contract Upgrades

• URL: http://arxiv.org/abs/2508.02145v1
• Date: Mon, 04 Aug 2025 07:43:43 GMT
• Title: The Dark Side of Upgrades: Uncovering Security Risks in Smart Contract Upgrades
• Authors: Dingding Wang, Jianting He, Siwei Wu, Yajin Zhou, Lei Wu, Cong Wang,
• Abstract summary: We build a dataset containing 83,085 upgraded contracts and 20,902 upgrade chains.<n>We develop a taxonomy of insecurities based on 37 real-world security incidents.<n>We survey public awareness of these risks and existing mitigations.
• Score: 12.414536548730421
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Smart contract upgrades are increasingly common due to their flexibility in modifying deployed contracts, such as fixing bugs or adding new functionalities. Meanwhile, upgrades compromise the immutability of contracts, introducing significant security concerns. While existing research has explored the security impacts of contract upgrades, these studies are limited in collection of upgrade behaviors and identification of insecurities. To address these limitations, we conduct a comprehensive study on the insecurities of upgrade behaviors. First, we build a dataset containing 83,085 upgraded contracts and 20,902 upgrade chains. To our knowledge, this is the first large-scale dataset about upgrade behaviors, revealing their diversity and exposing gaps in public disclosure. Next, we develop a taxonomy of insecurities based on 37 real-world security incidents, categorizing eight types of upgrade risks and providing the first complete view of upgrade-related insecurities. Finally, we survey public awareness of these risks and existing mitigations. Our findings show that four types of security risks are overlooked by the public and lack mitigation measures. We detect these upgrade risks through a preliminary study, identifying 31,407 related issues - a finding that raises significant concerns.

Related papers

• Large AI Model-Enabled Secure Communications in Low-Altitude Wireless Networks: Concepts, Perspectives and Case Study [92.15255222408636]
  Low-altitude wireless networks (LAWNs) have the potential to revolutionize communications by supporting a range of applications.<n>We investigate some large artificial intelligence model (LAM)-enabled solutions for secure communications in LAWNs.<n>To demonstrate the practical benefits of LAMs for secure communications in LAWNs, we propose a novel LAM-based optimization framework.
  arXiv  Detail & Related papers  (2025-08-01T01:53:58Z)
• SafeKey: Amplifying Aha-Moment Insights for Safety Reasoning [76.56522719330911]
  Large Reasoning Models (LRMs) introduce a new generation paradigm of explicitly reasoning before answering.<n>LRMs pose great safety risks against harmful queries and adversarial attacks.<n>We propose SafeKey to better activate the safety aha moment in the key sentence.
  arXiv  Detail & Related papers  (2025-05-22T03:46:03Z)
• Mining Characteristics of Vulnerable Smart Contracts Across Lifecycle Stages [0.8225825738565354]
  This paper presents the first empirical study on the security of smart contracts throughout their lifecycle.<n>It delves into the security issues at each stage and provides at least seven feature descriptions.<n>Five machine-learning classification models are used to identify vulnerabilities at different stages.
  arXiv  Detail & Related papers  (2025-04-21T12:42:59Z)
• Towards Trustworthy GUI Agents: A Survey [64.6445117343499]
  This survey examines the trustworthiness of GUI agents in five critical dimensions.<n>We identify major challenges such as vulnerability to adversarial attacks, cascading failure modes in sequential decision-making.<n>As GUI agents become more widespread, establishing robust safety standards and responsible development practices is essential.
  arXiv  Detail & Related papers  (2025-03-30T13:26:00Z)
• ContractTrace: Retracing Smart Contract Versions for Security Analyses [4.126275271359132]
  We introduce ContractTrace, an automated infrastructure that accurately identifies and links versions of smart contracts into coherent lineages.<n>This capability is essential for understanding vulnerability propagation patterns and evaluating the effectiveness of security patches in blockchain environments.
  arXiv  Detail & Related papers  (2024-12-30T11:10:22Z)
• Agent-SafetyBench: Evaluating the Safety of LLM Agents [72.92604341646691]
  We introduce Agent-SafetyBench, a benchmark designed to evaluate the safety of large language models (LLMs)<n>Agent-SafetyBench encompasses 349 interaction environments and 2,000 test cases, evaluating 8 categories of safety risks and covering 10 common failure modes frequently encountered in unsafe interactions.<n>Our evaluation of 16 popular LLM agents reveals a concerning result: none of the agents achieves a safety score above 60%.
  arXiv  Detail & Related papers  (2024-12-19T02:35:15Z)
• ACRIC: Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  Recent security incidents in safety-critical industries exposed how the lack of proper message authentication enables attackers to inject malicious commands or alter system behavior.<n>These shortcomings have prompted new regulations that emphasize the pressing need to strengthen cybersecurity.<n>We introduce ACRIC, a message authentication solution to secure legacy industrial communications.
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• New Emerged Security and Privacy of Pre-trained Model: a Survey and Outlook [54.24701201956833]
  Security and privacy issues have undermined users' confidence in pre-trained models. Current literature lacks a clear taxonomy of emerging attacks and defenses for pre-trained models. This taxonomy categorizes attacks and defenses into No-Change, Input-Change, and Model-Change approaches.
  arXiv  Detail & Related papers  (2024-11-12T10:15:33Z)
• Immutable in Principle, Upgradeable by Design: Exploratory Study of Smart Contract Upgradeability [0.717789756063617]
  This study identifies upgradeable contracts and examines their upgrade history to uncover trends, preferences, and challenges associated with modifications. The evidence from analyzing over 44 million contracts shows that only 3% have upgradeable characteristics, with only 0.34% undergoing upgrades. The relationship between upgrades and user activity is complex, suggesting that additional factors significantly affect the use of smart contracts beyond their evolution.
  arXiv  Detail & Related papers  (2024-07-01T17:35:37Z)
• Demystifying the Characteristics for Smart Contract Upgrades [16.242723608028573]
  We conduct an empirical study on proxy-based upgradable smart contracts to understand the characteristics of contract upgrading. We found that 583 contracts have ever been upgraded on functionality, involving 973 unique contract versions. The results demonstrate that there are 4,334 ABI breaking changes due to the upgrades of 276 proxies, causing real-world broken usages within 584 transactions witnessed by the blockchain.
  arXiv  Detail & Related papers  (2024-06-09T10:09:49Z)
• To Healthier Ethereum: A Comprehensive and Iterative Smart Contract Weakness Enumeration [25.022358832096263]
  This paper introduces the Smart Contract Weaknession (SWE), a comprehensive and practical vulnerability list up until 2023. SWE provides a systematic and comprehensive list of smart contract vulnerabilities, covering existing and emerging vulnerabilities in the last few years. Regular updates involve the inclusion of new vulnerabilities from future top papers, while irregular updates enable individuals to report new weaknesses for review and potential addition to SWE.
  arXiv  Detail & Related papers  (2023-08-20T10:46:39Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.