[SEP-49] Upgradeable Contracts

[brozorec]

Upgradeable Contracts SEP

Preamble

SEP: TBD
Title: Upgradeable Contracts SEP
Author: OpenZeppelin, Boyan Barakov <@brozorec>, Özgün Özerk <@ozgunozerk>
Track: Standard
Status: Draft
Created: 2025-03-07
Updated: 2025-03-07
Version: 0.1.0
Discussion: https://github.com/stellar/stellar-protocol/discussions/1670

Summary

A standard for smart contracts defining the specifications on how to upgrade their WASM bytecode.

Motivation

Soroban contracts are mutable by default unlike many other smart contract platforms such as Ethereum. Mutability in the context of Soroban refers to the ability of a smart contract to modify its WASM bytecode, thereby altering its function interface, execution logic, or metadata.

However, there are cases where immutable contracts are preferable, such as when immutability guarantees are essential for trustless applications or when a contract’s logic must remain fixed to comply with regulatory requirements. In such scenarios, non-upgradeability ensures that the contract's behavior remains predictable and secure.

Soroban provides a built-in, protocol-level defined mechanism for contract upgrades, allowing contracts to upgrade themselves if they are explicitly designed to do so, thus delegating the decision for it to the application layer.

This native upgrade mechanism offers significant advantages. One of them is the flexibility it offers to contract developers who can choose to make the contract immutable by simply not provisioning upgradability mechanics. On the other hand, providing upgradability on a protocol level significantly reduces the risk surface. This becomes particularly evident when compared to Ethereum, which lacks native support for upgradability, necessitating the development of various upgradability patterns, each with its own trade-offs. Despite the availability of tooling, handling upgrades in Ethereum remains a complex and error-prone process.

While Soroban’s built-in upgradeability eliminates many of these challenges, certain caveats must still be considered. Contract upgrades require additional validation and verification to ensure security and compatibility.

Considerations for Upgradability

To mitigate risks associated with contract upgrades, we should establish guidelines for additional validation checks. Some potential checks include:

• Ensuring that the new contract does not include a constructor, as it will not be invoked.
• Verifying that the new contract includes an upgradability mechanism, preventing an unintended loss of upgradability.
• Checking for storage consistency, ensuring that the new contract does not inadvertently introduce storage mismatches.
• Comparing version metadata to confirm that the upgrade genuinely modifies the contract’s behavior.

These checks can be implemented in upgrade tooling, providing warnings or requiring explicit confirmations for potential breaking changes.

This SEP proposes a minimal standardization of the upgrade interface to facilitate these efforts, ensuring a secure and well-defined approach to contracts upgradability.

Abstract

This SEP defines a standardized upgradability mechanism for Soroban contracts that includes:

• Explicit versioning via metadata.
• A standardized upgrade() function.
• A structured approach for handling pre- and post-upgrade logic.

Specification

Versioning

Each contract should include a version identifier in its metadata to facilitate tracking and validation. The version of the WASM bytecode is stored using soroban_sdk::contractmeta! where:

• "key": binver,
• "value": a string that follows Semantic Versioning (SemVer) to differentiate between breaking and non-breaking changes.

The Soroban SDK may automatically embed this metadata by reading from the crate version to streamline adoption.

Interface

#[contractclient(name = "UpgradeableClient")]
pub trait Upgradeable {
    fn upgrade(e: soroban_sdk::Env, new_wasm_hash: soroban_sdk::BytesN<32>);
}

Example Usage

contractmeta!(key = "binver", val = "0.1.12")

#[contractimpl]
impl Upgradeable for SomeContract {
    pub fn upgrade(e: Env, new_wasm_hash: BytesN<32>) {
        let owner: Address = e.storage().instance().get(&OWNER).unwrap();
        owner.require_auth();

        e.deployer().update_current_contract_wasm(new_wasm_hash);
    }
}

Pre- and Post-Upgrade Handling

Soroban’s architecture prevents calling functions in the newly deployed WASM within the same invocation. Therefore, pre- or post-upgrade housekeeping (such as data migrations) must be handled separately.

Recommended best practices:

• Define a dedicated migrate() function for pre- or post-upgrade actions.
• Ensure one-time execution of migration functions, if applicable.
• Implement access control to prevent unauthorized calls.

Design Rationale

1. Versioning in metadata was preferred over defining a dedicated version() function for the following reasons:
   • the wasm binary format already specifies a dedicated section for metadata as contractmetav0 that’s already well leveraged by the Soroban SDK and the executable version seems a logical candidate to get stored there
   • the version is static for a binary, and won’t change between different deployments
   • the overhead on the binary size.
2. The key binver is chosen for consistency with the already existing rsver and rssdkver in the metadata.
3. This SEP doesn’t define an event emission because a system event gets already emitted when updating a contract executable code, making additional event definitions unnecessary.
4. This SEP doesn’t define access control for the upgrade() function as this is specific for every implementation.
5. The minimal signature of the upgrade() functions also facilitates rollbacks if needed.

[ElliotFriend]

The Soroban SDK may automatically embed this metadata by reading from the crate version to streamline adoption.

I'm not very sure of the inner-workings of the SDK, but is it possible to only auto-embed this metadata if there is a defined upgrade() function? It's possible devs will opt, rather than making a contract upgradeable, to just build/deploy a brand new contract and change their apps to the new address wherever applicable. If the binver metadata is present without a contract upgrade() function, the metadata might give the false impression that the contract is upgradable, when it is not in fact.

Soroban’s architecture prevents calling functions in the newly deployed WASM within the same invocation.

It occurs to me that similar to how sometimes deployer contracts were used prior to protocol 22 to "simulate" constructor-like behavior, it might be possible to utilize an "upgrader" contract to both perform the upgrade() function of the contract, and then invoke whatever migrate() function might be necessary in a single invocation/transaction. I'm not even totally sure that's possible, just thinking through it.

If it is possible, would that even be a desired practice? Would that be a "dangerous" practice? Particularly if it's an anti-pattern, should this SEP steer developers away from that? Or, is that an entirely out-of-scope train of thought?

5. The minimal signature of the upgrade() functions also facilitates rollbacks if needed.

I wonder if there's any value in adding more detailed recommendations or best practices for handling rollbacks. I assume we wouldn't want or need to emit a specific event in this instance, right? Anyone listening for the upgrade system events could trace that one update happened, followed by another and we end up at the original Wasm hash. Essentially, it can be considered and treated as "just another upgrade," except that the version number would decrease.

[brozorec]

I'm not very sure of the inner-workings of the SDK, but is it possible to only auto-embed this metadata if there is a defined upgrade() function? If the binver metadata is present without a contract upgrade() function, the metadata might give the false impression that the contract is upgradable, when it is not in fact.

Good points! Regarding the process, I guess it will be similar to embedding the Rust and the SDK versions (rsver and rssdkver) and it's worth exploring whether this can work together with the SEP-META. The versioning auto-embed is only an idea that can potentially streamline part of the upgrading process and imo it's not mandatory for the standard. Though, it raises a question whether this kind of metadata (the binary version) can be of interest outside of the upgradabilty scope.

It's possible devs will opt, rather than making a contract upgradeable, to just build/deploy a brand new contract and change their apps to the new address wherever applicable.

If devs can deploy a brand new contract without disturbing their services, they don't need bother about upgradability at all, they need an upgradeable contract only if they want to preserve the state of the existing contract.

It occurs to me that similar to how sometimes deployer contracts were used prior to protocol 22 to "simulate" constructor-like behavior, it might be possible to utilize an "upgrader" contract to both perform the upgrade() function of the contract, and then invoke whatever migrate() function might be necessary in a single invocation/transaction. I'm not even totally sure that's possible, just thinking through it.
If it is possible, would that even be a desired practice? Would that be a "dangerous" practice? Particularly if it's an anti-pattern, should this SEP steer developers away from that? Or, is that an entirely out-of-scope train of thought?

Yes, it is possible to upgrade from another contract and call the newly deployed byte-code from there. It's be a valid pattern and wouldn't steer devs away from it. Using it very much depends on the actual needs: upgrade only one vs multiple identical contracts, need for pre- or post-migrations, or other concerns. That's why, I'm not sure about including it in the scope of the standard for the sake of keeping it applicable to the majority of the cases without introducing additional overhead. However, it will be surely beneficial for the ecosystem if we come up with some good practices or even better, an audited implementation of this pattern, as making use of another contract tends to increase the risk surface.

I wonder if there's any value in adding more detailed recommendations or best practices for handling rollbacks. I assume we wouldn't want or need to emit a specific event in this instance, right? Anyone listening for the upgrade system events could trace that one update happened, followed by another and we end up at the original Wasm hash. Essentially, it can be considered and treated as "just another upgrade," except that the version number would decrease.

Right, this is my understanding too. Regarding rollbacks, they become tricky when some data migration gets involved. I agree that we can include some points to consider when doing migrations and inviting to always plan for a rollback as a precaution.

[willemneal]

Ensuring that the new contract does not include a constructor, as it will not be invoked.

Why is this an issue? For example, if I have a v0.0.1, need to patch it with v0.0.2 I would need to strip the constructor from the new version?

[brozorec]

It's not always an issue, but could be. One possible scenario: you write v0.0.1 with a constructor that initializes some values, then someone else write v0.0.2 by changing the values in the constructor, hoping to have the new ones set after the upgrade.

This will be dependent on the tooling you use, but I guess you won't be obliged to remove the constructor in the new version, but rather receive a warning that the code there won't execute.

[leighmcculloch]

I think it is likely that constructors will exist in upgraded contracts, because some contracts will be upgraded whilst new versions deployed of it. But I think the point remains that this is an issue and something that a developer must be cognisant of, that a subsequent version of a contract may be upgraded or installed fresh.

[leighmcculloch]

The version of the WASM bytecode is stored using soroban_sdk::contractmeta! where:

• "key": binver,
• "value": a string that follows Semantic Versioning (SemVer) to differentiate between breaking and non-breaking changes.

I'd like to see if we can embed this automatically using the SDK. The SDK already embeds two meta fields by default into every build:

• rsver – the version of rust used to build the contract
• rssdkver – the version of the rust sdk used during the build

It feels natural to me that the version of the crate would end up alongside these.

The version has utility outside of upgradeability, because even a non-upgradeable contract may have multiple versions if it is instead deployed using a proxy pattern, or even if no form of upgradeability is supported but multiple versions of the contract can exist on chain.

The version serves as a good companion meta field to sit alongside other fields like source_repo which is likely to become a standard due to:

• Contract Source Validation SEP #1573

[brozorec]

I'd like to see if we can embed this automatically using the SDK.

I guess it should go here.

The version has utility outside of upgradeability, because even a non-upgradeable contract may have multiple versions.

Good point! Then using this version in the context of the upgradeability would be only a recommendation?

[leighmcculloch]

impl Upgradeable for SomeContract {
    pub fn upgrade(e: Env, new_wasm_hash: BytesN<32>) {

I see the allure of creating a standard around a function to call to do the upgrade. It would allow tooling like the Lab or stellar-cli to add a feature to support upgrading specifically, for contracts implementing the SEP. In the CLI that would in use look something like:

stellar contract upgrade --id C... --wasm-hash 9afb8e...

However, it's also worth noting that anyone implementing the function above, or any function that accepts the new wasm hash, could simply call it with the existing invoke function meaning tooling doesn't really need dedicated upgrade functionality. E.g.:

stellar contract invoke --id C... -- upgrade --wasm-hash 9afb8e...

It's not obvious to me yet where the win is in standardising on a specific function for upgrades, since the entity upgrading is often the contract operator, and they could call any function they need to, with whatever parameters were needed at the time.

For contracts that are not managed by a single operator, upgrading may require a more complex interface, such as first registering the intent to upgrade, and then later executing it after some time lock delay, and/or a certain number of votes.

How do we see this standard being used in those situations?

[brozorec]

We ran some scenarios to evaluate how this standardized function performs in different cases and identified a potential shortcoming in handling more complex scenarios, mostly around role-based access control. The cases you listed are usually handled through another contract: timelock, governor or multisig, where those contracts are registered as operators. The shortcoming I mentioned is in a setup where we have an UpgraderRole with potentially multiple operators, which will require authorizing the specific operator and passing it as an argument.

That brings us to the following 3 options:

1. Add a new param fn upgrade(e: Env, new_wasm_hash: BytesN<32>, operator: Address); and we recommend that any complex logic be wrapped in another contract, keeping clean responsibility boundaries.
2. Add a new custom data param fn upgrade(e: Env, new_wasm_hash: BytesN<32>, data: CustomData); allowing more flexibility in the upgrade logic, but making the client usage harder (I guess it will be a pain to pass this in the cli, esp. if it's something more complex).
3. Drop the function standardization. This goes along with your point: "It's not obvious to me yet where the win is in standardising on a specific function for upgrades, since the entity upgrading is often the contract operator, and they could call any function they need to, with whatever parameters were needed at the time."
   The win can be viewed in the fact that the upgrade will be treated as a special invocation allowing to emit tailored warnings and errors.

[leighmcculloch]

3. The win can be viewed in the fact that the upgrade will be treated as a special invocation allowing to emit tailored warnings and errors.

Could you share some examples of the types of warnings and errors tooling would generate?

Is there another way to achieve this with tooling only, instead of constraints on the naming and interface of the upgrade function?

For example, if there was an SDK feature/macro/attribute you could place on an upgrade function that somehow facilitated warnings/errors for important things relating to the use of the function?

[brozorec]

Could you share some examples of the types of warnings and errors tooling would generate?

Those could be warnings about presence of a constructor, same version of the old and the new contracts, lack of an upgrade function in the new contract. There could be also a table with refs to the storage keys of both contracts, making sure for example that StorageKey::Balance didn't accidentally turn into StorageKey::Blanace.

Is there another way to achieve this with tooling only, instead of constraints on the naming and interface of the upgrade function?

I guess there are other ways of achieving some of the above results with a combination of tooling, custom lints and/or macros and can be triggered by a cli command like stellar contract upgrade-check.

[leighmcculloch]

Another thought in terms of how upgrades are integrated into tooling: Any tx simulation should be able to identify that a contract is going to trigger an upgrade, because an event is emitted (see below). The CLI when simulating a tx, could identify that an upgrade is going to occur, and that the contract upgrading to has a constructor. It could output a warning or a message that's happening.

[brozorec]

Based on the discussion above, this SEP has evolved from proposing a standard upgrade interface and versioning format into a broader set of community guidelines and best practices for safe and transparent contract upgrades.

Here is the new version:

---

Upgradeable Contracts SEP

Preamble

SEP: TBD
Title: Upgradeable Contracts SEP
Author: OpenZeppelin, Boyan Barakov <@brozorec>, Özgün Özerk <@ozgunozerk>
Track: Standard
Status: Draft
Created: 2025-03-07
Updated: 2025-03-08
Version: 0.2.0
Discussion: https://github.com/stellar/stellar-protocol/discussions/1670

Summary

Community guidelines and recommendations for safely upgrading the WASM bytecode of Soroban smart contracts.

Motivation

Soroban contracts are mutable by default unlike many other smart contract platforms such as Ethereum. Mutability in the context of Soroban refers to the ability of a smart contract to modify its WASM bytecode, thereby altering its function interface, execution logic, or metadata.

However, there are cases where immutable contracts are preferable, such as when immutability guarantees are essential for trustless applications or when a contract’s logic must remain fixed to comply with regulatory requirements. In such scenarios, non-upgradability ensures that the contract's behavior remains predictable and secure.

Soroban provides a built-in, protocol-level defined mechanism for contract upgrades, allowing contracts to upgrade themselves if they are explicitly designed to do so, thus delegating the decision for it to the application layer.

This native upgrade mechanism offers significant advantages. One of them is the flexibility it offers to contract developers who can choose to make the contract immutable by simply not provisioning upgradability mechanics. On the other hand, providing upgradability on a protocol level significantly reduces the risk surface. This becomes particularly evident when compared to Ethereum, which lacks native support for upgradability, necessitating the development of various upgradability patterns, each with its own trade-offs. Despite the availability of tooling, handling upgrades in Ethereum remains a complex and error-prone process.

While Soroban’s built-in upgradability eliminates many of these challenges, certain caveats must still be considered.

Abstract

This SEP defines a set of recommendations for Soroban smart contracts that includes:

• Versioning through contract metadata
• Handling of migrations during upgrades
• Strategies for safe rollbacks
• General guidance for ensuring a trustworthy and transparent upgrade process

Recommendations

Versioning

Each contract can include a version identifier in its metadata to facilitate tracking and validation. The version of the WASM bytecode can be stored using soroban_sdk::contractmeta! where:

• "key": binver,
• "value": a string that follows Semantic Versioning (SemVer) to differentiate between breaking and non-breaking changes.

The key binver is chosen for consistency with the already existing rsver and rssdkver in the metadata. Furthermore, the Soroban SDK may automatically embed this metadata by reading from the crate version to streamline adoption.

Versioning in metadata is preferred over defining a dedicated version() function for the following reasons:

• the WASM binary format specifies a dedicated section for metadata as contractmetav0 that’s already well leveraged by the Soroban SDK and the executable version seems a logical candidate to get stored there
• the version is static for a binary, and won’t change between different deployments
• the slight overhead on the binary size.

Upgrading

This SEP does not propose a standard upgrade() function signature, as its parameters may vary depending on the specific application or contract version. However, the following practices are recommended:

1. Name the function explicitly upgrade() to make its purpose clear and recognizable.
2. Ensure proper access control to restrict who can trigger an upgrade.
3. It is NOT necessary to emit an application-specific event during an upgrade, since a system event is already emitted automatically when the contract's executable code is updated.

Example (pseudo-code):

#[contractimpl]
impl MyContract {
    pub fn upgrade(e: &Env, new_wasm_hash: BytesN<32>, operator: Address) {
        operator.require_auth();
        let owner: Address = e.storage().instance().get(&OWNER).unwrap();
        if (owner != operator) {
            panic_with_error!(e, ContractError::Unauthorized)
        }

        e.deployer().update_current_contract_wasm(new_wasm_hash);
    }
}

Migrations

What is a migration?

A migration refers to any change made to a contract’s storage layout. This is typically required after a contract upgrade that modifies how data is structured or interpreted.

Handling migrations

Soroban’s architecture prevents calling functions in the newly deployed WASM within the same invocation. Therefore, pre- or post-upgrade housekeeping (such as data migrations) must be handled in a separate step or context.

Recommended best practices include:

1. Define a dedicated migrate() function to handle data transformations after the upgrade. Ensure one-time execution of this function (if applicable) and proper access control.
2. To ensure atomicity and avoid transitional inconsistencies, consider using a dedicated upgrader contract for orchestration that performs both the upgrade and the migration in the same invocation.

Example (pseudo-code):

pub const MIGRATE: Symbol = symbol_short!("migrate");

#[contractimpl]
impl Upgrader {
    pub fn upgrade_and_migrate(
        e: Env,
        contract_address: Address,
        operator: Address,
        wasm_hash: BytesN<32>,
        migration_data: soroban_sdk::Vec<Val>,
    ) {
        let contract_client = UpgradeableClient::new(&e, &contract_address);

        // the parameters of `upgrade()` can vary;
        // it is recommmended to explicitly name it `upgrade()`
        contract_client.upgrade(&wasm_hash, &operator);

        // If this contract is meant to be used for upgrading contracts with a defined `migrate()` funciton,
        // it can be invoked with a regular call:
        // `contract_client.migrate(param1, param2, param3)`
        e.invoke_contract::<()>(&contract_address, &MIGRATE, migration_data);
    }
}

3. When atomic upgrade + migrate is not possible, pause external access to entry-point functions that modify storage between the upgrade and the migration. This avoids potential state corruption caused by interaction with inconsistent logic.

Rollbacks

Once a smart contract is deployed, it cannot be rolled back like in traditional systems. Any incorrect logic must be corrected with a new contract version.

1. It is of the utmost importance to define a rollback strategy, especially when storage layout mutations are involved. Ensure that future upgrades can restore the contract to a safe, consistent state.
2. In any such situation, it is recommended to suspend the contract’s functionality temporarily (pausing) before deploying a fix.

Transparency and Trustworthiness

To enhance safety and predictability when upgrading contracts, the following practices are recommended:

1. Use a timelock mechanism which delays the effect of an upgrade, giving users time to review the change and exit safely if needed.
2. Implement a governance model in which stakeholders vote on major upgrades or migrations, ensuring community oversight.
3. Trigger upgrades or migrations through a multi-signature scheme, reducing the risk of a single point of failure if an admin account is compromised.
4. Provide clear, timely communication to users when performing upgrades or migrations. This includes outlining the nature of the changes, potential risks and any required user actions.

Further Considerations

To mitigate risks associated with contract upgrades, the following points shoud be also taken into account:

1. Ensure that the new contract version does not rely on initializing new data from the constructor, as it will not be invoked after the upgrade.
2. Verify that the new contract includes an upgradability mechanism, preventing an unintended loss of upgradability.
3. Check for storage consistency, ensuring that the new contract does not inadvertently introduce storage mismatches.
4. Compare version metadata between versions.

These checks can be implemented in upgrade tooling and libraries, providing warnings or requiring explicit confirmations for potential breaking changes.

Changelog

• 0.1.0: Initial draft
• 0.2.0: Turn standardizations into guidelines

[willemneal]

Currently __constructor is a special name but has no standard signature. Could we do the same with __upgrade and __migrate to further ensure they are not seen as normal functions?

[leighmcculloch]

Functions that are prefixed with __ can't be invoked by transactions or other contracts directly, they can only be called by the Soroban Env as part of some host operation. In this case because the SEP is describing that some arbitrary function that a tx or other contract will call directly, maybe named upgrade and maybe named migrate, I don't think we can use the underscore prefix.