Upgrade keys are the root of trust. A sequencer's fraud or validity proof is irrelevant if a centralized multisig can arbitrarily change the rollup's rules. The security model collapses to the governance of the upgrade mechanism.
crypto-marketing-and-narrative-economics
Blog
Who Really Controls the L2 Upgrade Keys?
A critical analysis of L2 upgrade mechanisms. We map the multi-sig holders, evaluate on-chain governance claims, and reveal which networks have a credible path to decentralization. The security of billions in TVL depends on a handful of private keys.
introduction
THE GOVERNANCE PARADOX
Introduction
Layer 2 security is a direct function of who controls the upgrade keys, not the cryptographic proofs.
The 'multi-sig cartel' is the standard. Most major L2s, including Arbitrum and Optimism, launch with a small, known set of entities controlling upgrades. This creates a temporary, centralized security bottleneck that often persists.
Time-locks are not decentralization. A 7-day delay on upgrades, used by networks like Arbitrum Nova, is a transparency feature, not a security guarantee. It allows users to exit, but does not prevent a determined cartel from forcing through changes.
Evidence: As of Q1 2024, zero top-10 L2s by TVL have fully decentralized, permissionless upgrade mechanisms. The transition to smart contract timelocks or on-chain governance like Arbitrum DAO remains a multi-year roadmap item.
key-trends
WHO HOLDS THE KEYS?
Executive Summary: The State of L2 Control
The ability to upgrade a smart contract is the ultimate veto power over a blockchain. For L2s with $40B+ in combined TVL, this control is concentrated in a handful of entities, creating systemic risk.
01
The Multi-Sig Illusion
Most major L2s rely on a 5-of-8 or 7-of-12 multi-sig for upgrades, masquerading as decentralization. This is a single point of failure where signers, often VC-backed entities, can collude or be compelled to act. The security model is social, not cryptographic.
- Key Risk: Signer set controlled by founding team/VCs.
- Reality: A 51-hour timelock on Optimism doesn't stop a malicious upgrade, it just announces it.
5-7/12
Signers Needed
51h
Max Delay
02
Arbitrum's Security Council Gambit
Arbitrum introduced a 12-member, elected Security Council to manage upgrades, a step beyond pure team multi-sigs. However, initial members were appointed by Offchain Labs, and the council still holds unilateral upgrade power during emergencies. This creates a governance bottleneck where a small group can override DAO votes.
- Key Benefit: More decentralized than a static team multi-sig.
- Key Risk: Council's emergency powers are a backdoor; real decentralization depends on future DAO oversight.
12
Council Members
9/12
Emergency Vote
03
The StarkNet & zkSync Dilemma
ZK-Rollups like StarkNet and zkSync Era face a unique control problem: their provers are centralized and proprietary. The upgrade key controls not just bridge funds but also the validity proof system itself. A malicious upgrade could forge proofs, making the L2's cryptographic security irrelevant.
- Key Risk: Centralized prover + upgrade key = cryptographic trust.
- Reality: True decentralization requires open-source provers and decentralized sequencing, which are still R&D.
1
Prover Entity
~0
Client Diversity
04
The Escape Hatch Fallacy
Users are told to rely on L1 escape hatches (force-withdrawal mechanisms) if the L2 goes rogue. This is a false safety net. In a crisis, these mechanisms would be overwhelmed, creating a gas auction death spiral on Ethereum. For a rollup with $2B TVL, a mass exit is technically impossible within a short timeframe.
- Key Risk: Escape hatches assume infinite L1 block space.
- Reality: They are a social coordination tool, not a technical guarantee of asset recovery.
$2B+
TVL at Risk
7d
Challenge Period
05
Optimism's Path to a 'Superchain'
The Optimism Collective is attempting to institutionalize upgrade control through its Law of Chains and a shared security council for the Superchain. The goal is to move from a chain-specific multi-sig to a federated security model where chains mutually enforce each other's rules. This is the most ambitious governance experiment in L2s.
- Key Benefit: Aims to replace chain sovereignty with collective security.
- Key Risk: Replaces a known oligarchy with a complex, untested political system.
1
Shared Council
Multi-Chain
Scope
06
The Only Real Solution: Immutability
The endpoint of L2 evolution is a truly immutable settlement layer, where upgrade keys are removed entirely. This is the Celestia model applied to execution. Projects like Eclipse and Fuel are building with this ethos. Until then, all L2s are verifiable but mutable databases, requiring continuous trust in their governing bodies.
- Key Benefit: Eliminates the upgrade key threat vector completely.
- Reality: Requires perfect code and a willingness to fork, not upgrade—a cultural shift for devs.
0
Admin Keys
Fork
Upgrade Path
GOVERNANCE & SECURITY
L2 Upgrade Mechanism Matrix: A Cold Hard Look
A comparison of the technical and social mechanisms that control the ability to modify core L2 protocol logic, including sequencer, bridge, and prover contracts.
| Feature | Optimism (OP Stack) | Arbitrum (Nitro) | zkSync Era | Starknet | Base |
|---|---|---|---|---|---|
Upgrade Execution Multi-sig | 2-of-4 (Security Council) | 9-of-12 (Security Council) | 4-of-7 (zkSync Era) | 8-of-12 (Starknet Foundation) | 2-of-3 (Base Team) |
Time-Lock Delay on Upgrades | 0 days (Council) | 72 hours (Council) | 10 days (Multi-sig) | 30 days (Foundation) | 0 days (Multi-sig) |
On-Chain Governance Vote Required | |||||
Governance Token | OP | ARB | STRK | ||
Emergency Action (No Delay) | |||||
Sequencer Decentralization Roadmap | Stage 1: Permissioned (2024) | Stage 2: Permissionless (2024) | Stage 1: Permissioned (TBD) | Stage 1: Permissioned (TBD) | Stage 0: Centralized |
Prover Upgrade Control | Council Multi-sig | Council Multi-sig | Multi-sig | Foundation Multi-sig | Base Team Multi-sig |
deep-dive
THE GOVERNANCE
The Slippery Slope: From Multi-Sig to 'Sufficient Decentralization'
L2 upgrade keys reveal a spectrum of control, where 'sufficient decentralization' is a marketing term for retained central authority.
Upgrade keys define sovereignty. The entity controlling the L2's upgrade mechanism controls the chain's state and logic. This is the ultimate backdoor, making decentralization claims downstream irrelevant.
Multi-sigs are the industry standard. Arbitrum, Optimism, and zkSync Era use multi-sig wallets for upgrades. This is a temporary, centralized security council model that defers true on-chain governance.
'Sufficient decentralization' is a legal shield. Projects like Polygon and Base use this term to signal reduced regulatory risk while maintaining operational control. It is a political, not technical, milestone.
The escape hatch is fraud proofs. Networks like Arbitrum Nitro and Optimism Bedrock implement fraud-proof systems that theoretically allow users to force a correct state, but the upgrade key can still change or disable this mechanism.
protocol-spotlight
WHO CONTROLS THE UPGRADE KEYS?
Protocol Spotlight: Paths to Decentralization (or Lack Thereof)
The security of a rollup is defined by its ability to resist malicious upgrades. Here's how major L2s stack up on the ultimate control mechanism.
01
The Security Council Model (Optimism, Arbitrum)
A multi-sig of elected experts holds upgrade keys, creating a time-delayed governance checkpoint. This is the current gold standard for progressive decentralization.
- Key Benefit: 2-of-N security with ~7-day challenge window for community veto.
- Key Benefit: Explicit path to full code decentralization via the Cannon fault-proof system.
2/8+
Multisig Threshold
7 Days
Challenge Window
02
The Foundation Multisig (Base, zkSync Era)
A small, often corporate-controlled multisig retains unilateral upgrade power. This is security through reputation, not cryptography.
- The Problem: Instant upgrades are possible with no on-chain delay for user exit.
- The Reality: Security relies on trusting Coinbase or Matter Labs, creating a centralized failure point.
Instant
Upgrade Speed
3-5
Signer Count
03
The Immutable Verifier (Starknet, Fuel)
Upgrade logic is enforced by an on-chain, verifiable program (e.g., a STARK verifier). The key is proving correctness, not trusting signers.
- Key Benefit: No admin key can change the core state transition logic.
- Key Benefit: Decentralization shifts to the prover network and data availability layer.
0
Admin Keys
Validity Proof
Security Root
04
The DAO-Governed Multisig (Polygon zkEVM, Metis)
A DAO token vote is required to authorize a multisig execution. This adds political friction but not cryptographic security.
- The Problem: The multisig remains a technical single point of failure.
- The Reality: Governance capture or voter apathy can still lead to a malicious upgrade.
DAO Vote
Authorization
5/8
Execution Threshold
05
The Escape Hatch Fallacy
Many protocols tout a user 'escape hatch' or 'force withdrawal' as decentralization. This is a last-resort safety net, not a primary security model.
- The Problem: Mass exits during a crisis cause congestion, high fees, and price instability.
- The Reality: It's security theater if the L1 bridge contract itself can be upgraded by a small multisig.
Days-Weeks
Exit Duration
>1000x
Fee Spike Risk
06
The Zero-Knowledge Future (Aztec, Scroll)
The endgame: Upgrade keys are eliminated entirely. Security is based on cryptographic proofs and decentralized sequencing.
- Key Benefit: Trustless execution from day one; no need to 'earn' decentralization.
- Key Challenge: Requires mature proof recursion and decentralized prover markets.
Cryptographic
Security Root
Eliminated
Trust Assumption
counter-argument
THE REALITY OF CONTROL
The Builder's Defense: Why Multi-Sig is 'Necessary'
Layer-2 upgrade keys are centralized by design, and builders argue this is a temporary, pragmatic necessity for security and speed.
Upgrade keys are centralized. Every major L2—Arbitrum, Optimism, zkSync—uses a multi-sig council for protocol upgrades. This is a security backstop against bugs in complex, evolving code. The alternative is a frozen, immutable contract, which is untenable for a live network.
The trade-off is speed over decentralization. A small council of known entities like Offchain Labs or the Optimism Foundation can coordinate a critical fix in hours. A decentralized DAO vote on Snapshot or Tally takes weeks, which is an eternity during an active exploit.
The defense is 'temporary progressive decentralization'. Teams like Arbitrum point to their security council roadmap as proof of intent. The multi-sig is a scaffolding tool, with plans to expand signers and eventually implement time-locked, permissionless upgrades.
Evidence: The Arbitrum Security Council has 12-of-15 multi-sig signers. This structure enabled the rapid activation of the Nitro upgrade, which cut fees by >90%. Without it, the upgrade would have required a far slower and riskier community governance process.
risk-analysis
THE MULTISIG MAFIA
Risk Analysis: What Could Go Wrong?
The multi-billion dollar security of every major L2 currently rests in the hands of a few anonymous keys. This is the single greatest centralization vector in the ecosystem.
01
The 5/8 Multisig is Not a Security Model
Most L2s (Arbitrum, Optimism, Base) use small, off-chain multisigs for their upgrade keys. This creates a single point of failure for $30B+ in bridged assets. The governance delay is a fig leaf; the keys hold ultimate power.\n- Single Point of Failure: Compromise of a few signers can drain the chain.\n- Opaque Process: Signer identities are often pseudonymous or corporate entities.\n- No On-Chain Recourse: Users cannot fork or slash a malicious multisig.
5/8
Common Quorum
$30B+
TVL at Risk
02
The Time-Lock Theater
A 7-day delay before upgrades execute (used by Arbitrum, Optimism) is better than nothing, but it's reactive, not preventive. It relies on perfect vigilance from a decentralized mob to notice and coordinate a mass exit in time—a security fairy tale.\n- Assumes Perfect Information: Requires users to monitor and understand every upgrade.\n- Exodus Impractical: Moving billions in DeFi positions in a week is often impossible.\n- Creates False Confidence: The 'safety window' is marketing, not a guarantee.
7 Days
Standard Delay
0
Preventive Action
03
The StarkNet & zkSync Era Dilemma
Even 'decentralized' ZK-Rollups face this. StarkNet's upgrade path is controlled by StarkWare's SHAPPs. zkSync Era uses a Security Council. While technically more robust, ultimate control still resides with the founding entity, creating legal and technical centralization risks.\n- Founder Dominance: Protocol rules can be changed by the core dev entity.\n- Code is Not Law: The verifier can be upgraded, potentially invalidating user assets.\n- Dependency Risk: Relies on the continued benevolence and competence of a single team.
1 Entity
Ultimate Control
ZK-Verifier
Upgradable
04
The Escape Hatch: Layer 1 Forkability
The only true mitigation is the ability for the L1 (Ethereum) community to fork the L2's bridge and state if the upgrade keys are abused. This is the nuclear option, requiring extreme social consensus and proving that L2s are politically, not cryptographically, secured.\n- Social Consensus Required: As complex and messy as an Ethereum hard fork.\n- Mass Coordination: Needs validators, nodes, and users to adopt the fork.\n- Ultimate Proof: Reveals that L2 security is a social contract backed by L1.
L1 Sovereign
Final Backstop
Chaotic
Recovery Process
future-outlook
THE GOVERNANCE TRAP
Future Outlook: The Inevitable Hard Fork
The centralized control of L2 upgrade keys creates a systemic risk that will be resolved through user-driven hard forks.
L2s are centralized by design. The core security model of optimistic and ZK rollups relies on a single, trusted sequencer and a security council with upgrade keys. This is a temporary concession for speed, not a feature.
Users will fork the chain. When a council acts against user interests—like censoring transactions or extracting value—the community will execute a user-activated soft fork (UASF). This happened on Ethereum; it will happen on Arbitrum and Optimism.
The fork is the ultimate governance. Projects like L2BEAT's risk dashboard and EigenLayer's restaking create economic signals that pressure councils. A credible fork threat forces decentralization of the sequencer and adoption of EIP-4844 for cheaper data.
Evidence: The $ARB token dropped 10% after a contentious governance vote, proving market sensitivity to centralization risk. Protocols like Aave and Uniswap will migrate to the forked chain that guarantees neutrality.
takeaways
L2 GOVERNANCE RISK
Key Takeaways for Builders and Investors
The power to upgrade an L2's core contracts is the ultimate control point, representing a single point of failure for billions in user funds.
01
The Multi-Sig Mirage
Most L2s rely on a small, named council (e.g., 5-10 signers) to execute upgrades. This creates a governance bottleneck and a high-value attack surface. True decentralization is deferred to an unspecified future.
- Risk: A compromised signer or legal coercion can alter protocol rules.
- Reality: $30B+ in TVL across major L2s is secured by ~50 individuals.
5-10
Signers
$30B+
TVL at Risk
02
The Timelock Is Not Enough
A security council + timelock model (used by Optimism, Arbitrum) allows users a window to exit before a suspicious upgrade. However, this is a reactive, not preventive, measure.
- Benefit: Provides a ~7-day escape hatch for sophisticated users.
- Limitation: Mass user exodus during a crisis is practically impossible, creating a coordination failure.
7 Days
Standard Delay
High
Exit Friction
03
The Escape Hatch Audit
Investors must scrutinize the L1 escape hatch mechanism. A robust design, like Arbitrum's multi-step challenge period, is critical. Weak implementations can be disabled by the very upgrade they're meant to guard against.
- Action: Audit the forums.chainscore.dev for upgradeability.
- Metric: Evaluate the technical & social difficulty of executing a mass exit.
Critical
Due Diligence
Variable
Exit Viability
04
StarkNet's Path to On-Chain Governance
StarkNet is executing a phased transition from a foundation-run multi-sig to on-chain governance via a token vote. This is the most explicit decentralization roadmap among major L2s.
- Phase 1: StarkNet Foundation controls upgrades.
- Phase 2: Security Council of elected professionals.
- Phase 3: Full STARK token holder voting.
3-Phase
Roadmap
Token Vote
End State
05
The zkSync & Scroll Opaque Model
Networks like zkSync Era and Scroll maintain upgrade keys held by their development entities (Matter Labs, Scroll Foundation). Their decentralization plans are roadmap promises, not live code.
- Builder Risk: Protocol rules can change overnight, breaking integrated dApps.
- Investor Risk: Valuation hinges on future, unimplemented governance.
Dev Control
Current State
TBD
Decentralization ETA
06
The Base & OP Stack Forkability Hedge
Using a shared stack like OP Stack provides a unique hedge: if the canonical chain (Optimism Mainnet) makes a malicious upgrade, the ecosystem can fork to a new canonical chain. This social consensus layer reduces the absolute power of any single L2's multi-sig.
- Benefit: Forkability creates competitive pressure for good governance.
- Example: Base and other OP Stack chains form a decentralized bloc.
OP Stack
Shared Codebase
Social
Final Backstop
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall