SKIP TO CONTENT
Security

Implementation Contract

The contract containing actual logic that a proxy delegates calls to via delegatecall.

What is an Implementation Contract?

An implementation contract, also called a logic contract, contains the actual executable code in an upgradeable proxy architecture. When users interact with the proxy, it forwards calls to the implementation using delegatecall, executing the implementation's logic while reading and writing to the proxy's storage. This separation enables upgrading logic without changing the contract address users interact with.

How it Works

The implementation contract is where developers write the protocol's business logic. However, in a proxy architecture, this logic executes in the context of the proxy's storage and msg.sender.

Key characteristics include:

  1. Stateless Logic: Implementation holds no persistent state; all storage is in the proxy
  2. Initializable, Not Constructible: Uses initializer functions instead of constructors
  3. Storage Layout Constraints: Must maintain compatible storage ordering across versions
  4. Self-Destruct Risks: Implementation destruction would break the proxy permanently
  5. Directly Callable: Can be called directly, requiring protection against unintended use

Implementation contracts should be initialized immediately after deployment to prevent attackers from initializing them with malicious values.

Practical Example

OpenZeppelin's upgradeable contract libraries provide implementation-ready contracts with initialization patterns. When Aave V3 launched, they deployed implementation contracts for each pool component, with proxies pointing to these implementations. Each implementation is verified on Etherscan, allowing anyone to review the exact code being executed. When upgrades occur, new implementation addresses appear in governance proposals for community review.

Why it Matters

Understanding implementation contracts is crucial for evaluating DeFi security. Users should verify that implementations are properly initialized, that storage layouts are maintained across upgrades, and that implementations cannot be manipulated directly. Uninitialized implementations have led to significant exploits where attackers took control of proxy contracts.

Fensory provides implementation contract transparency, helping users verify the actual code executing in upgradeable DeFi protocols and track implementation changes through upgrades.

Examples

  • Aave V3 implementation contracts are verified and publicly auditable on Etherscan
  • Wormhole exploit partly resulted from uninitialized implementation vulnerability

Related Terms

Theory meets practice. See current rates across DeFi.

Track live yields, compare protocols, and build your DeFi portfolio with Fensory.

GET EARLY ACCESSArrow right
← BACK TO GLOSSARY