diff --git a/pkgs/applications/blockchains/erigon.nix b/pkgs/applications/blockchains/erigon/default.nix
similarity index 83%
rename from pkgs/applications/blockchains/erigon.nix
rename to pkgs/applications/blockchains/erigon/default.nix
index d656db3c47c8..f4e5b1de652c 100644
--- a/pkgs/applications/blockchains/erigon.nix
+++ b/pkgs/applications/blockchains/erigon/default.nix
@@ -1,18 +1,21 @@
 { lib, buildGoModule, fetchFromGitHub }:
 
+let
+  pinData = lib.importJSON ./pin.json;
+in
 buildGoModule rec {
   pname = "erigon";
-  version = "2.30.0";
+  version = pinData.version;
 
   src = fetchFromGitHub {
     owner = "ledgerwatch";
     repo = pname;
     rev = "v${version}";
-    sha256 = "sha256-s5D+Ps5S95AyNh7tt2SnTvUxNHzOothsMZA7NW3x0yM=";
+    sha256 = pinData.sha256;
     fetchSubmodules = true;
   };
 
-  vendorSha256 = "sha256-ICoThps7c4+9NQPeaASQ88YVbczJD/MgF2ldOmKjgvc=";
+  vendorSha256 = pinData.vendorSha256;
   proxyVendor = true;
 
   # Build errors in mdbx when format hardening is enabled:
diff --git a/pkgs/applications/blockchains/erigon/pin.json b/pkgs/applications/blockchains/erigon/pin.json
new file mode 100644
index 000000000000..e274f307007a
--- /dev/null
+++ b/pkgs/applications/blockchains/erigon/pin.json
@@ -0,0 +1,5 @@
+{
+  "version": "2.31.0",
+  "sha256": "sha256-+qVfujPKy/HAkMOJQdHI3G1pBoYG2Lhm5BKHrvf3lv0=",
+  "vendorSha256": "sha256-XTGbwMEuLBEXP/QAR8RLRPrbvz2ReCLg4tCogbqHiHg="
+}
diff --git a/pkgs/applications/blockchains/erigon/update.sh b/pkgs/applications/blockchains/erigon/update.sh
new file mode 100755
index 000000000000..c50a7a20f29e
--- /dev/null
+++ b/pkgs/applications/blockchains/erigon/update.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i oil -p jq sd nix-prefetch-github ripgrep
+
+# TODO set to `verbose` or `extdebug` once implemented in oil
+shopt --set xtrace
+# we need failures inside of command subs to get the correct vendorSha256
+shopt --unset inherit_errexit
+
+const directory = $(dirname $0 | xargs realpath)
+const owner = "ledgerwatch"
+const repo = "erigon"
+const latest_rev = $(curl -q https://api.github.com/repos/${owner}/${repo}/releases/latest | \
+  jq -r '.tag_name')
+const latest_version = $(echo $latest_rev | sd 'v' '')
+const current_version = $(jq -r '.version' $directory/pin.json)
+if ("$latest_version" === "$current_version") {
+  echo "$repo is already up-to-date"
+  return 0
+} else {
+  const tarball_meta = $(nix-prefetch-github $owner $repo --rev "$latest_rev" --fetch-submodules)
+  const tarball_hash = "sha256-$(echo $tarball_meta | jq -r '.sha256')"
+
+  jq ".version = \"$latest_version\" | \
+      .\"sha256\" = \"$tarball_hash\" | \
+      .\"vendorSha256\" = \"\"" $directory/pin.json | sponge $directory/pin.json
+
+  const new_vendor_sha256 = $(nix-build -A erigon 2>&1 | \
+    tail -n 2 | \
+    head -n 1 | \
+    sd '\s+got:\s+' '')
+
+  jq ".vendorSha256 = \"$new_vendor_sha256\"" $directory/pin.json | sponge $directory/pin.json
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index efdf9b79ecf5..17798ea68e7b 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -33650,7 +33650,7 @@ with pkgs;
 
   ergo = callPackage ../applications/blockchains/ergo { };
 
-  erigon = callPackage ../applications/blockchains/erigon.nix { };
+  erigon = callPackage ../applications/blockchains/erigon { };
 
   exodus = callPackage ../applications/blockchains/exodus { };