Try   HackMD

Ada: The Contract Manager, package manager or version control or monitor tool?

Check out Soldeer

Note: look into the diamond standard
How is it diff from upgradable contracts
How is it diff from Evan's Furnis

" As a philosopthy I dont use proxy" - Atlas
the diamond standard meshed with package manager

1. Problem Definition:

  • Dependency Breaks with Contract Upgrades: Smart contracts, when upgraded, often result in new deployments due to the immutable nature of blockchain. However, other contracts that depend on these older versions (e.g., DAO Matcha using DAO Padthai’s contract) might become incompatible or unsafe due to the upgrade.
  • Lack of Communication Between Ecosystems: Since DAOs and projects may operate in separate ecosystems or lack communication, upgrading a contract in one system could break contracts dependent on it elsewhere, potentially leading to security vulnerabilities or functionality issues.
  • No On-chain Version Management: Currently, there is no system similar to NPM (Node Package Manager) in Web2 that notifies or manages the versions of smart contracts on-chain. This makes it difficult for developers to know when a contract is upgraded or deprecated, and forces them to rely on manual communication (e.g., announcements, documentation).

2. Need for Recurring Audits:

Yes, recurring audits exist primarily to detect issues like this — dependencies that break due to upgrades. However, this approach is reactive and costly, leading to inefficiencies in the development lifecycle.

3. Idea: On-chain Version Control or Contract Manager:

The core of your idea suggests the creation of an on-chain contract management system that:

  • Tracks contract versions (e.g., Contract A v1, Contract A v2) in a decentralized registry.
  • Notifies dependent contracts or developers if a contract they rely on has been upgraded or deprecated, potentially causing issues.
  • Provides metadata on contracts such as dependencies, upgrade paths, and compatibility issues.

This can be seen as a package manager for smart contracts that operates directly on-chain, allowing the ecosystem to:

  • Verify which version of a contract is in use.
  • Understand the compatibility and safety implications when dependencies are updated.
  • Notify developers and DAOs of changes in real-time, reducing the need for reactive audits.

4. Existing Solutions (or Lack Thereof):

  • Etherscan/Remix/Infura: While tools like Etherscan and Remix allow developers to verify smart contract code, they don’t offer dependency management or version control. They are primarily focused on displaying contracts and code verification but don’t notify developers of dependency updates.
  • Foundry, Hardhat: Tools like Foundry or Hardhat handle development environments but don’t offer on-chain version control once the contract is deployed.
  • Off-chain solutions (e.g., Git): Git repositories can track code versions, but this is only for the source code and doesn’t map to the actual contract deployed on-chain.

5. Proposed Solution Features:

To solve this problem, your proposed system should:

  • On-chain registry of contracts: Each contract (and its versions) would be registered on-chain, with metadata like the contract’s dependencies, versions, and verification status.
  • Automated notifications: DAOs and developers relying on certain contracts could subscribe to updates, receiving notifications when dependencies are updated or changed.
  • Deprecation warnings: Automatically notify contracts that use deprecated or vulnerable dependencies, much like how NPM alerts you when a package version is out of date.
  • Backwards compatibility checks: A system that flags when a new contract version may cause incompatibilities with existing dependent contracts.

6. Potential Challenges:

  • Implementation complexity: This would require integration with multiple blockchain ecosystems and tooling to monitor contract changes.
  • Gas costs: Tracking dependencies and upgrades on-chain might add gas costs, but optimizations (e.g., using Layer 2 or off-chain indexing services) could mitigate this.
  • Adoption: Getting developers and DAOs to use and trust this system would take time, especially if they are used to manual or custom approaches.

7. Market Validation and Utility:

  • High Utility: This idea solves a real problem, especially for DAOs and projects building complex contract systems with many dependencies. It reduces security risks, improves developer workflows, and ensures safer upgrades.
  • Gaps in Existing Solutions: Currently, no mainstream tool like Etherscan, Infura, or Remix offers this level of contract dependency management or version control on-chain, making this a valuable contribution to the ecosystem.

Next Steps:

  • Research further into existing dependency tracking efforts: See if there are ongoing efforts in the Ethereum or multi-chain ecosystem toward dependency tracking.
  • Prototype a version-control contract: Consider building an MVP that could track a few contracts' versions on-chain and simulate notifications for dependent projects.
  • Engage with developers: Talk to DAO devs or blockchain engineers to gauge interest and potential pain points with contract upgrades and dependencies.

This could be the foundation for decentralized package management for smart contracts on-chain, solving critical versioning and security challenges.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

reporting contracts on-chain is another potential roadblock that needs thoughtful design. There are several challenges, such as how to ensure accuracy, transparency, and ease of access for users across different ecosystems. Let’s explore some ideas and solutions on how this reporting could be implemented:

1. Challenge: Reporting Contract Versions On-Chain

When it comes to reporting contracts and their versions, several questions arise:

  • Who reports the contract versions? Should this be done by the developers, a decentralized network, or an automated system?
  • How is the reporting verified? How do we ensure that the reported versions and changes are accurate and trustworthy?
  • How do we track contract changes? Given the immutable nature of smart contracts, upgrading typically involves deploying new contracts—how do we link different versions of the same contract?

Here are some approaches to address these challenges:

2. Potential Solutions:

A. Self-reporting by Developers (Manual Process)

  • How it works: When developers deploy a contract, they can manually register the contract and its version in an on-chain registry. They can also report upgrades by linking the new contract with the previous version.
  • Benefits:
    • Simplicity: Developers can directly input metadata related to the contract (version, dependencies, etc.).
    • Transparency: Information comes directly from the source (developers), which can be trusted, especially if their identity or reputation is tied to the report.
  • Challenges:
    • Human Error: Developers might forget to report upgrades, or provide incorrect or incomplete information.
    • Decentralization: Relying solely on manual reporting goes against the idea of decentralized systems.

B. Automated Reporting via Deployment Tooling

  • How it works: Leverage development tools like Hardhat, Truffle, Foundry, or Remix to automatically register contracts when they are deployed. These tools can be modified to include hooks that report contract versions to the on-chain registry.
  • Benefits:
    • Automation: Reduces human error and ensures that every contract deployment and version upgrade is reported.
    • Seamless Integration: Since developers already use these tools, they wouldn’t need to change their workflows.
  • Challenges:
    • Adoption: This would require integration across multiple development tools and ecosystem support.
    • Gas Costs: Reporting every contract version might add additional gas costs to the deployment process, which developers may be hesitant to pay.

C. Smart Contracts with Built-in Versioning

  • How it works: Create smart contracts with built-in version control. Each contract can expose a function to report its current version and list previous versions or dependencies (like how package.json works in NPM).
  • Benefits:
    • Direct Contract Reporting: The contract itself reports its version, removing reliance on external parties or manual reporting.
    • Built-in Dependencies: Contracts could include a mechanism to track which contracts they depend on, creating an automatic record of these relationships.
  • Challenges:
    • Complexity: Writing contracts with built-in version control can add complexity to contract design.
    • Gas Costs: More on-chain logic could increase the gas required for contract execution.

D. Decentralized Auditors/Oracles

  • How it works: Use oracles or a network of decentralized auditors to observe the blockchain and report contract versions. When a contract is deployed or upgraded, these oracles can verify the contract and submit its version to an on-chain registry.
  • Benefits:
    • Trustless Reporting: Removes the reliance on developers or centralized entities to report the contract versions, providing a decentralized and trustless reporting mechanism.
    • Verification: Oracles can cross-check contract versions to ensure accuracy and that the dependencies are correct.
  • Challenges:
    • Incentives: How to incentivize oracles to participate in reporting contract versions.
    • Cost: Running oracles involves costs (gas fees, operational costs), and these would need to be subsidized by the network or users.

E. GitHub Integration with Blockchain Registries

  • How it works: Leverage existing tools like GitHub Actions or IPFS to trigger reporting on the blockchain whenever a new contract is pushed or versioned on a GitHub repository. The contract code could be linked to the specific commit or version in the repository.
  • Benefits:
    • Code Verification: This integrates with existing development workflows and ensures that the contract deployed on-chain matches the code in the repository.
    • Track History: A detailed version history of the contract can be maintained, and developers can link the on-chain contract to the specific commit on GitHub or other platforms.
  • Challenges:
    • Off-chain to On-chain: Integrating off-chain tools like GitHub with on-chain reporting can be technically complex.
    • Trust: Trust in off-chain systems like GitHub may be a concern for purely decentralized projects.

3. Reporting Format:

Once you determine how to report, the next step is defining what to report. Key information could include:

  • Contract Address: The unique address of the contract on-chain.
  • Version Number: A simple versioning system (v1.0, v2.0, etc.) or semantic versioning.
  • Deployment Timestamp: To track when the contract was deployed.
  • Dependency Information: What other contracts or libraries does this contract depend on, and their versions.
  • Upgrade Path: Information about what versions a contract can be upgraded to.
  • Security Status: Flags or reports if a contract has been deprecated or found to be insecure.
  • Audits: If a contract has been audited, a link to the audit report could be included.

4. Incentive Models for Reporting:

To ensure widespread adoption of the on-chain contract version control system, there could be several incentive models:

  • Reputation Systems: Developers who consistently report contract versions accurately could gain reputation points or badges, incentivizing them to report versions correctly.
  • Token Rewards: The system could reward developers or oracles who report contract versions and dependencies with native tokens or fees.
  • Penalties: Projects that fail to report contract upgrades might be flagged in the system, warning other users that the contract may no longer be safe to interact with.

5. Interoperability:

Since contracts are deployed across multiple chains (Ethereum, Arbitrum, Optimism, etc.), the reporting system would need to be interoperable across chains. Consider leveraging cross-chain solutions (like LayerZero or Wormhole) to track contracts and their versions across different ecosystems.

Conclusion:

How to report contracts on-chain is indeed a complex problem, but a combination of the following approaches could provide a solution:

  • Automated tools (via Hardhat, Foundry, etc.) that report contract versions upon deployment.
  • Smart contracts with built-in version control and dependency tracking.
  • Decentralized oracles to verify and report contracts.
  • GitHub or IPFS integration for code verification and history tracking.

By creating a robust system that reports, verifies, and tracks contract versions on-chain, you can address the version control problem in a decentralized, trustless, and automated manner.

  • Conntect with Auditors, Etherscan and Openzepplin
Last changed by 
Rashmi V Abbigeri
1
40

Read more

DAOIP-5 Extensions Field: Implementation Brief

We are proposing to add an optional extensions field to all DAOIP-5 schema components (Grant Systems, Grant Pools, Projects, and Payouts). This field will serve as a standardized catch-all for implementation-specific metadata, experimental features, and custom data requirements that extend beyond the core specification.

Jul 8, 2025
ShoreGun

DAOs often lack:

Jul 4, 2025
DAO Treasury Management Research

How are you DAOing? 20 DAO Treasuries analyzed | 2023https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4604968

Jul 4, 2025
DAOIP-5 SuperLink

DAOIP-5 Data Lake can be found here, it a folder of JSON URI's sourced from Grant Systems: https://github.com/opensource-observer/oss-funding/tree/main/daoip-5/json

Jun 19, 2025
Read more from Rashmi V Abbigeri
Published on HackMD