selfdestruct in implementation contracts can permanently brick proxy systems

# selfdestruct in implementation contracts can permanently brick proxy systems If the implementation contract behind a proxy has an accessible `selfdestruct` (or `SELFDESTRUCT` opcode), calling it destroys the implementation's bytecode. Since [[delegatecall executes code from another contract using the callers storage context|delegatecall targets code at the implementation address]], the proxy's delegatecall will hit an empty address and every call will fail permanently. The [[parity wallet hack demonstrated that selfdestruct in implementation contracts permanently bricks proxy systems|Parity wallet hack]] ($280M frozen, 2017) is the canonical demonstration. Since [[selfdestruct was deprecated in solidity 0.8.18 via eip-6049]], this risk is diminishing for new contracts, but legacy code and older compiler versions remain vulnerable. Post-Cancun (EIP-6780), `selfdestruct` no longer destroys contract code except within the same transaction as deployment. This significantly reduces the bricking risk for established contracts, but the recommendation to avoid `selfdestruct` in upgradeable implementations remains because: (1) contracts deployed and selfdestructed atomically are still vulnerable, (2) L2 chains may not have adopted EIP-6780, and (3) arbitrary `delegatecall` in implementation contracts can chain to a `selfdestruct` gadget that executes in the proxy's context (see [[unrestricted delegatecall allowing user-specified target addresses enables fund drainage and state manipulation]]). --- Relevant Notes: - [[parity wallet hack demonstrated that selfdestruct in implementation contracts permanently bricks proxy systems]]: the canonical exploit - [[selfdestruct was deprecated in solidity 0.8.18 via eip-6049]]: the deprecation that reduces future risk - [[CREATE2 enables contract recreation at the same address with different bytecode when the constructor queries external state]]: selfdestruct clears addresses for potential recreation; the destruction side (this note) and the rebuild-and-exploit side (CREATE2) are complementary attack phases - [[CREATE2 enables metamorphic contract attacks by allowing a self-destructed contract to be redeployed with different bytecode at the same trusted address]]: extends this: the offensive pattern that weaponizes selfdestruct + CREATE2 to perform a bait-and-switch - [[EIP-1822 UUPS upgrade logic in implementation enables permanent proxy bricking if implementation is destroyed or uninitialized]]: UUPS implementations are particularly vulnerable because selfdestruct eliminates both the upgrade mechanism and the implementation - [[unrestricted delegatecall allowing user-specified target addresses enables fund drainage and state manipulation]]: unrestricted delegatecall can chain to a selfdestruct gadget, executing destruction in the proxy's context - [[metamorphic contract patterns remain exploitable on L2s that have not adopted EIP-6780 Cancun changes]]: L2 chains without EIP-6780 still allow full selfdestruct behavior, keeping this attack vector live Topics: - [[vulnerability-patterns]]