How (Not) To Upgrade Smart Contracts

Last week, TrustToken froze their old smart contracts, blocking their users from accessing their funds. Shortly afterwards, they issued new tokens to all the users. This created a massive amount of confusion for their users as well as introduced potential legal ramifications.

We want to explain why we’d never allow this to happen at Carbon and give some friendly advice to the TrustToken team on how to avoid issues like this in the future.

We feel compelled to first and foremost explore the legal ramifications of this decision as it could prove massively detrimental to the sector.

Legal Implications

Fiat-backed stablecoins rely heavily on legal agreements between a broad array of stakeholders (usually a cocktail of banks, auditors, trust companies, and law firms). Shifting the underlying smart contract, while often a decision made by the product team, can actually can have major legal implications depending on how the smart contract is represented in said legal contracts. Shifting the balances to a new contract could trigger both money transmitter violations and breaches of contracts with partners. There is a chance that the new tokens are not, strictly speaking, redeemable. Unfortunately, it is impossible for the public to know the actual implications as the legal contracts are private. We can only trust that the product team has been operating in close conjunction with their legal and compliance teams.

CarbonUSD Smart Contract

-(mainnet): 0x1410d4ec3d276c0ebbf16ccbe88a4383ae734ed0

-(ropsten): 0x67450c8908e2701abfa6745be3949ad32acf42d8

Blockchain Immutability

Ethereum as a platform forces all transactions and contracts to be immutable, which means that once data is registered to the public blockchain, it cannot be modified or altered. While this is beneficial for ensuring an accurate and precise history of events, it produces certain technical hurdles that must be overcome from a development perspective.

Source code that has been published to the blockchain cannot be altered without amending the smart contract address, which can be costly both timewise and resource wise (gas fees). Many projects have encountered fatal mistakes in their smart contracts that have led to the freezing and subsequent loss of over $300 million. Mistakes thus in smart contracts are expensive, much more so than traditional development on centralized servers.

Proxy Upgradeability

CarbonUSD utilizes and builds upon ZeppelinOS’s proxy patterns for smart contract upgradeability, which is a unique and effective means of updating logic without changing the smart contract address. A “Proxy” smart contract is essentially a bookkeeping contracts that keeps track of different logic implementations. Users interact with proxy, not logic, contracts and the proxy in turn forwards any actions to its latest logic implementation. For example, when we added “metatransactions” as a new feature in CUSD-ETH, we upgraded the CUSD “logic” contract without needing to modify the “proxy” contract.

This is powerful because the proxy contract address will not change and break infrastructure that interacts with the CUSD contracts. Naturally, this enhances Carbon’s ability to quickly resolve any bugs in the contract code while minimizing friction for our integration partners.

For more details, read our in-depth article on smart contract upgradeability at our Engineering Blog

CarbonUSD Upgrades

  1. Meta transactions
  2. Auto whitelisting

In light of the recent TrueUSD smart contract address change (0x8dd5fbce2f6a956c3022ba3663759011dd51e73e to 0x0000000000085d4780B73119b644AE5ecd22b376), many people have also asked us if Carbon will do the same.

The answer is NO and NEVER. Changing smart contract addresses is incredibly confusing for existing integration partners like exchanges, wallets and dapps. Many transactions conducted during the token upgrade will likely not be completed once the new smart contract is live and moreover, there is a high degree of risk in ensuring all token balances remain consistent with user behavior.

A successful proxy upgradeable smart contract, such as the one CarbonUSD has live, will allow for seamless token upgrades without compromising end user experience.

To read more on Carbon’s smart contract, look out for Carbon’s developer guide, coming soon this week.