I review upgradeable smart contract proxy patterns for the vulnerabilities unique to delegatecall-based architecture — storage layout collisions, unprotected initializers, implementation self-destruct, and broken upgrade access control.
Proxy types covered: OpenZeppelin transparent proxy; UUPS (Universal Upgradeable Proxy Standard); beacon proxy; minimal proxy (EIP-1167 clone); and custom proxy implementations.
Vulnerability scope: storage slot collision between proxy admin slot and implementation variables; initializer protection and reinitialisation attack surface (missing initializer modifier, accessible initializer post-deployment); implementation contract self-destruct disabling the proxy; delegatecall injection via malicious calldata; upgrade function access control (who can call upgradeTo/upgradeToAndCall); admin slot conflicts between OpenZeppelin versions; and storage layout compatibility between implementation versions (V1 → V2 → V3 layout drift).
A storage layout diagram documenting every variable and its slot assignment is included — this is the foundational document your team needs for safe future upgrades.