The agent mode enables the smart contract to upgrade its logic while maintaining its on chain address and status values. Calling the proxy contract will execute the code from the logical contract through delegateCall to modify the status of the proxy contract.
This article will give you an overview of the types of agency contracts, related security events and recommendations, and best practices for using agency contracts.
Introduction to scalable contract and agency model
We all know the “tamper proof” feature of the blockchain, which also shows that the smart contract code cannot be modified after being deployed on the blockchain.
Therefore, when developers want to update contract code for logic upgrade, error repair or security update, they must deploy a new contract and generate a new contract address.
To solve this problem, you can use the proxy mode.
The agent mode realizes the scalability of the contract and does not change the deployment address of the contract, which is also the most common contract upgrade mode at present.
The agent mode is a scalable contract system, including agent contract and logic implementation contract.
Proxy contracts handle user interaction and data and contract state storage. The user’s call to the proxy contract will execute the code from the logical contract through delegatecall (), thus changing the status of the proxy contract. The upgrade is realized by updating the logical contract address recorded in the agent contract reservation storage slot.
The three more common proxy modes are transparent proxy, UUPS proxy and Beacon proxy.
Transparent proxy
In the transparent proxy mode, the upgrade function is implemented in the proxy contract. The administrator role of the agent contract is given the direct authority to operate the agent contract to update the corresponding logical implementation address of the agent. Callers without administrator permission will delegate their calls to the implementation contract.
Note: The agent contract administrator cannot be a key role in the logical implementation contract, or even an ordinary user, because the agent contract administrator cannot interact with the implementation contract.
UUPS Agent
In the UUPS (Universal Upgradeable Proxy Standard) mode, the contract upgrade function is implemented in a logical contract. Since the upgrade mechanism is stored in the logical contract, the upgraded version can delete upgrade related logic to prohibit future upgrades. In this mode, all calls to the proxy contract will be forwarded to the logical implementation contract.
Beacon Proxy
The Beacon proxy pattern allows multiple proxy contracts to share the same logic implementation by referencing the Beacon contract. The Beacon contract provides the address of the logical implementation contract for the invoked proxy contract. When upgrading to a new logical implementation address, you only need to update the address recorded in the Beacon contract.
Agent Misuse and Security Events
Developers can use agent mode contracts to implement scalable contract systems. However, the proxy mode also has a certain operating threshold. If it is not used properly, it may bring devastating security problems to the project. The following section shows the events related to the misuse of agents, as well as the centralized risk brought by agents.
Agent managed key disclosure
The agent administrator controls the upgrade mechanism of the transparent agent mode. If the administrator’s private key is disclosed, attackers can upgrade the logical contract and execute their own malicious logic in the agent state.
On March 5, 2021, PAID Network suffered a “coinage” attack caused by poor private key management. The PAID Network was exploited by an attacker, who stole the private key of the agent administrator and triggered the upgrade mechanism to change the logical contract. After upgrading, the attacker can destroy the user’s PAID, forge a batch of PAIDs for himself, and then sell them. The code itself does not have a security vulnerability, but the attacker obtained the private key of the upgrade contract from the administrator.
