Upgradeability is a backdoor. It reintroduces centralized trust into a system designed to eliminate it. A deployer with upgrade keys holds the same power as a traditional CEO over a database.
security-post-mortems-hacks-and-exploits
Blog
Why Upgradeable Contracts Are the Ultimate Betrayal of DeFi
An analysis of how proxy patterns, while practical, create systemic risk by centralizing control and violating the core covenant of trustless, immutable code that defines decentralized finance.
introduction
THE BETRAYAL
Introduction
Upgradeable smart contracts fundamentally violate the core value proposition of decentralized finance.
The promise of DeFi is immutability. Users interact with protocols like Uniswap V3 and MakerDAO based on the guarantee that code is law. Upgradeability makes this guarantee conditional on the keyholder's benevolence.
This creates systemic risk. The $100M Wormhole hack was patched via an upgrade, but this same mechanism is the single point of failure for countless protocols. The industry's reliance on OpenZeppelin's UUPS/Transparent Proxy patterns has normalized this risk.
Evidence: Over 80% of top-100 DeFi TVL protocols use upgradeable proxies, creating a fragile web of centralized failure points masquerading as decentralized infrastructure.
key-trends
WHY UPGRADEABLE CONTRACTS ARE THE ULTIMATE BETRAYAL OF DEFI
The Slippery Slope: From Feature to Fatal Flaw
The convenience of mutable logic has become the primary vector for protocol capture and systemic risk.
01
The Admin Key is a Time Bomb
A single private key controlling a $1B+ Total Value Locked (TVL) protocol is a systemic risk. The upgrade mechanism is not a feature; it's a centralized kill switch.\n- Historical Precedent: See the Wormhole hack and subsequent $320M bailout, enabled by admin key control.\n- Attack Surface: Compromise of a single multisig signer can lead to total protocol drainage.
>90%
Of Major Hacks
1 Key
To Drain Billions
02
The Governance Illusion
Token-based voting for upgrades creates a false sense of decentralization. Whale-dominated governance can force through malicious proposals or rug pulls.\n- Vote Buying: Entities like Jump Crypto or a16z can sway outcomes, turning DeFi into CeFi with extra steps.\n- Speed vs. Security: A 7-day timelock is meaningless against a determined, well-capitalized attacker executing a governance attack.
$40M
Cost of Attack (est.)
<1%
Voter Turnout
03
The Immutable Alternative: Uniswap V3
Uniswap V3 is the canonical example of a successful, high-value protocol deployed without upgradeability. Its core is immutable, forcing innovation to happen via new, competing deployments.\n- Architectural Integrity: The core AMM logic is set in stone, creating a predictable, trust-minimized base layer.\n- Innovation Pressure: New features (e.g., UniswapX) must be built as separate, opt-in systems, preventing forced migrations and fragmentation of liquidity.
$3B+
Immutable TVL
0
Admin Functions
04
The Transparent Compromise: Time-Locked & Verifiable Upgrades
If upgrades are necessary, they must be transparent and slow. A publicly verifiable timelock with a community veto via fork is the bare minimum.\n- Example: Compound's Governor Bravo with a 2-7 day delay allows for market reaction and fork preparation.\n- Key Principle: The code must be publicly visible on-chain before it can be executed, eliminating surprise attacks.
7 Days
Minimum Safe Delay
100%
Code Visibility
05
The Inevitable Endgame: Protocol Capture
Upgradeability is the legal loophole for VCs and insiders. It allows a project to pivot from a decentralized protocol to a captured product, extracting value from users.\n- The Playbook: Launch with "progressive decentralization," accumulate TVL, then use admin powers to introduce fees or change tokenomics.\n- User Betrayal: The social contract of "code is law" is broken the moment a multisig can change the rules.
100%
Of "Progressive" Projects
$0
User Recourse
06
The First-Principles Solution: Immutable Cores & Modular Extensions
Build like Ethereum itself: an immutable base layer with modular, opt-in extensions. The core contract must be finalized at launch.\n- Architecture: Use proxy patterns for peripheral contracts (staking, gauges) but never for core money logic (AMM, lending).\n- Future-Proofing: New features are built as separate contracts that interact with the immutable core, preserving user sovereignty and choice.
1
Immutable Core
N
Modular Extensions
deep-dive
THE ARCHITECTURAL FLAW
Anatomy of a Betrayal: How Proxy Patterns Work (And Fail)
Upgradeable smart contracts, via proxy patterns, create a systemic risk by centralizing control and violating the core promise of immutable code.
Proxy patterns decouple logic from storage. A user's wallet interacts with a lightweight proxy contract that delegates all calls to a separate, mutable logic contract. This allows developers to deploy new logic without migrating user funds or state, a feature heavily used by protocols like OpenZeppelin's TransparentUpgradeableProxy and UUPS (EIP-1822).
The admin key is a centralized kill switch. The entity holding the proxy's admin privileges can unilaterally redirect the proxy to any new logic contract. This creates a single point of failure, contradicting DeFi's trust-minimization ethos. The infamous dYdX v3 to v4 migration demonstrated this power, moving billions in user positions off-chain by proxy upgrade.
Time-locks and DAOs are theater, not guarantees. While protocols like Uniswap and Compound use governance-controlled upgrades, the delay is a social, not technical, barrier. A determined majority or a compromised multisig can still execute a malicious upgrade, as seen in the Nomad Bridge hack where a faulty upgrade script drained $190M.
The failure mode is absolute betrayal. Unlike an exploit in immutable code, a malicious upgrade isn't a bug—it's a feature. The proxy can be pointed to logic that drains all funds, mint infinite tokens, or permanently brick the protocol. Users who trusted the front-end code are betrayed by the back-end admin key.
UPGRADEABLE VS. IMMUTABLE CONTRACTS
The Cost of Convenience: A Ledger of Loss
A first-principles comparison of contract mutability models, quantifying the security trade-offs for DeFi protocols.
| Core Feature / Metric | Upgradeable Proxy (e.g., Compound, Aave) | Immutable Contract (e.g., Uniswap V2, MakerDAO) | Time-Locked Governance Upgrade (e.g., Uniswap V3, Lido) |
|---|---|---|---|
Admin Key Risk | Single EOA or Multi-sig holds upgrade power | No admin key exists | DAO-controlled Timelock (e.g., 2-7 days) |
Attack Surface for Exploit | Proxy storage slots, initialization logic, admin key compromise | Contract logic is fixed post-deployment | Timelock delay adds defense-in-depth; attack must compromise DAO |
User Trust Assumption | Trust in the admin's competence and honesty | Trust in the code's correctness at deployment | Trust in the DAO's governance and the timelock security |
Historical Losses from Upgrades |
| $0 (by definition; losses from logic bugs only) | <$10M (primarily from governance attacks like Beanstalk) |
Time to Execute Critical Fix | < 1 hour (if admin is responsive) | Impossible; requires migration | Governance delay + Timelock (e.g., 3-10 days) |
Developer Convenience | High - bugs can be patched | None - must deploy new system | Medium - upgrades possible with community oversight |
Composability Risk | High - integrators face breaking changes | Low - interface is permanent | Medium - changes are broadcast in advance |
Philosophical Alignment | TradFi agility; bet on the team | DeFi purity; bet on the code | Progressive decentralization; bet on the community |
case-study
WHY UPGRADEABLE CONTRACTS ARE THE ULTIMATE BETRAYAL OF DEFI
Case Studies in Centralized Failure
Upgradeable contracts reintroduce the single point of failure that DeFi was built to eliminate, turning immutable code into mutable promises.
01
The SushiSwap MISO Incident
A privileged wallet was compromised, allowing an attacker to steal $3M from the platform's launchpad. The exploit was possible because the contract's admin key was not timelocked, enabling instant, unilateral changes.
- The Problem: Admin keys are live attack vectors.
- The Solution: Immutable contracts or robust, multi-sig timelocks like those used by Uniswap and Compound.
$3M
Lost
1 Key
Single Point of Failure
02
The Compound Governor Bravo Upgrade Bug
A bug in a protocol upgrade via Governor Bravo temporarily broke $100M+ in COMP token distributions. While fixed via a subsequent proposal, it exposed the systemic risk of complex, upgradeable governance modules.
- The Problem: Code upgrades are inherently risky, even with DAO votes.
- The Solution: Formal verification, exhaustive testnets, and immutable core contracts where possible.
$100M+
At Risk
Governor Bravo
Upgrade Vector
03
Proxy Pattern vs. User Sovereignty
The standard Transparent Proxy or UUPS pattern centralizes power in an admin address. Users must perpetually trust that the admin won't rug, censor, or introduce bugs. This negates the core DeFi premise of "trustless" interactions.
- The Problem: Your assets are only as safe as the proxy admin.
- The Solution: Opt for non-upgradeable protocols or ones with irrevocable timelocks and community veto powers.
100%
Trust Assumption
Proxy Admin
Centralized Control
counter-argument
THE MISALIGNED INCENTIVE
The Builder's Defense (And Why It's Wrong)
The standard justifications for upgradeable smart contracts are rationalizations for convenience that undermine the core value proposition of decentralized finance.
Upgradeability is operational convenience. Builders argue it's necessary for bug fixes and feature iteration, treating contracts like SaaS products. This prioritizes developer agility over user sovereignty, the antithesis of DeFi's credibly neutral foundation.
The multisig is a centralization vector. Delegating upgrades to a 5-of-9 Gnosis Safe controlled by the founding team or a DAO creates a single point of failure. This recreates the trusted intermediary that protocols like Uniswap and Aave were built to eliminate.
It breaks composability guarantees. An immutable contract is a permanent state primitive; downstream integrators can rely on its behavior. An upgradeable contract is a mutable API, forcing projects like Yearn or Gelato to constantly monitor for breaking changes.
Evidence: The 2023 Euler Finance hack and subsequent 'upgrade' to recover funds demonstrated that admin keys are a systemic risk. The recovery was a moral necessity, but it proved the protocol was never truly trustless.
FREQUENTLY ASKED QUESTIONS
FAQ: Navigating the Proxy Minefield
Common questions about the security and trust implications of upgradeable smart contracts in DeFi.
No, they introduce a critical centralization risk by placing unilateral upgrade power in the hands of a few. This creates a single point of failure, betraying DeFi's trustless ethos. A malicious or compromised admin key can rug-pull funds or change protocol logic, as seen in incidents with Compound and SushiSwap governance.
takeaways
THE ULTIMATE BETRAYAL
TL;DR for CTOs and Architects
Upgradeable smart contracts introduce a single, mutable point of failure, fundamentally breaking the trustless promise of DeFi.
01
The Admin Key is a Kill Switch
A single private key can rug, censor, or brick a protocol. This centralizes risk in a system designed for decentralization.\n- Admin key compromises have led to $100M+ losses (e.g., Nomad Bridge).\n- Time-lock delays are theater; multisig signers can still collude.
1 Key
Single Point
$100M+
Risk Exposure
02
It Breaks Composability & Auditability
Upgradeability makes on-chain integration a moving target, destroying the deterministic foundation DeFi is built on.\n- Audits are obsolete after the first upgrade.\n- Integrating protocols like Aave or Compound becomes a liability, as their core logic can change post-integration.
0%
Future Guarantee
High
Integration Risk
03
The Solution: Immutable Core + Modular Extensions
Follow the Uniswap V3 model: freeze the battle-tested core and push innovation to the edges.\n- Immutable Core: No admin keys. Ever.\n- Proxy Patterns: Use transparent proxies (EIP-1967) with clear, user-consented upgrade paths only for peripheral logic.
100%
Core Immutability
Safe
Controlled Edge
04
Upgrade Sickness is a $100B+ Systemic Risk
The vast majority of DeFi TVL sits behind proxy contracts. This creates a latent, correlated risk across the entire ecosystem.\n- Lido, Aave, Compound all use upgradeable proxies.\n- A widespread exploit in a common proxy library (e.g., OpenZeppelin) could be catastrophic.
$100B+
TVL at Risk
High
Correlation
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall