Permissionless upgrades are inevitable. The current standard of multisig-controlled proxy contracts creates a systemic risk vector, as seen in hacks targeting platforms like Compound and SushiSwap. This model is a single point of failure.
smart-contract-auditing-and-best-practices
Blog
The Future of Contract Upgrades Is Permissionless
Multisig-controlled upgrades are a systemic risk. This post argues for a new paradigm: trust-minimized upgrade paths using ZK proofs for verification and autonomous agents for execution, rendering human gatekeepers obsolete.
introduction
THE IMPERATIVE
Introduction
The next generation of smart contract systems will be defined by permissionless upgradeability, moving beyond the centralized multisig model.
The future is modular governance. Protocols like Optimism's Bedrock and Arbitrum's Stylus demonstrate that upgrade logic can be decentralized into verifiable, on-chain processes. This separates code deployment from execution authority.
Evidence: The EIP-2535 Diamond Standard provides a technical blueprint, enabling modular, gas-efficient upgrades. Its adoption by protocols like Aave signals a shift towards this more resilient architecture.
key-trends
THE ARCHITECTURAL SHIFT
Executive Summary: The Three Pillars of Permissionless Upgrades
Smart contract upgrades are moving from centralized multisigs to decentralized, user-empowered mechanisms. This is the core infrastructure for credible neutrality.
01
The Problem: The Multisig Mafia
Today, $50B+ in TVL is controlled by 5-of-9 multisigs. This creates a single point of failure and political risk, violating the core promise of decentralization.\n- Governance Lag: Upgrades require weeks of voting and execution.\n- Security Theater: Compromised keys or collusion can rug any protocol.
5-of-9
Common Quorum
$50B+
TVL at Risk
02
The Solution: Immutable Proxies with Escape Hatches
Pioneered by EIP-1822 and EIP-1967, this pattern uses a permanent proxy pointing to logic contracts. Users hold unilateral escape hatches to opt-out via social consensus or fraud proofs.\n- User Sovereignty: Final say rests with the asset holder, not a council.\n- Continuous Uptime: Logic can be upgraded without migrating state or pausing.
0
Downtime
EIP-1967
Standard
03
The Enabler: On-Chain Attestation Networks
Systems like Ethereum Attestation Service (EAS) and Hyperlane's interchain security modules turn subjective social consensus into machine-readable signals for upgrade legitimacy.\n- Composability: Any client (wallet, bridge, explorer) can verify upgrade safety.\n- Interoperability: Creates a universal safety layer across L2s and appchains.
~1M
Attestations
Interchain
Scope
thesis-statement
THE PARADIGM SHIFT
The Core Thesis: Upgrades as a Verification Problem, Not a Governance Problem
The future of contract upgrades is permissionless, shifting the burden from human governance to automated verification.
Upgrades are a verification problem. The core challenge is not deciding if an upgrade is good, but proving what it does. This moves the bottleneck from slow, subjective governance votes to fast, objective code analysis.
Permissionless upgrades are inevitable. Protocols like Optimism's Bedrock and Arbitrum Nitro demonstrate that upgradeability is a non-negotiable feature for scaling L2s. The question is how to make it safe without a multisig.
Governance is a scaling failure. Relying on tokenholder votes for every hotfix creates unacceptable latency and security theater. The real security model is cryptographic proof, not social consensus.
Evidence: The Ethereum Foundation's ERC-6900 standard for modular smart contract accounts explicitly separates upgrade logic from governance, a direct move towards this verification-first paradigm.
PERMISSIONLESS UPGRADES
The Multisig Attack Surface: A Comparative Risk Matrix
Quantifying the security trade-offs between multisig governance and permissionless upgrade mechanisms for smart contracts.
| Attack Vector / Metric | Traditional Multisig (e.g., 5/9) | Timelock + Multisig | Permissionless Upgrade (e.g., Governor, OZ UUPS) |
|---|---|---|---|
Key-Man Risk (Signer Compromise) | High (5 signers) | Medium (5 signers + delay) | None (N/A) |
Upgrade Execution Latency | < 1 hour | 3-14 days | Varies per proposal |
Cost to Execute Malicious Upgrade | 1 gas tx | 1 gas tx |
|
Attack Surface for Code Bug | Permanent (if no timelock) | Window = Timelock duration | Window = Governance voting period |
Upgrade Transparency | Opaque until execution | Fully transparent post-proposal | Fully transparent post-proposal |
Decentralization (Herd Immunity) | Low (9 entities) | Low-Medium (9 entities + delay) | High (token holder base) |
Protocols Using This Model | Early L1s, Early DeFi | Uniswap, Aave v2 | Compound, Aave v3, Lido |
deep-dive
THE NEW PRIMITIVE
Architecting the Permissionless Upgrade
The future of smart contract evolution is immutable logic secured by permissionless, competitive upgrade mechanisms.
Upgradeability is a security vulnerability. Traditional proxy patterns centralize control, creating a single point of failure for governance attacks and admin key compromises.
Immutable logic is the security baseline. A contract's core logic must be finalized, forcing protocol designers to architect for long-term resilience from day one.
Permissionless upgrade paths are the solution. New logic competes for adoption via on-chain registries like the EIP-2535 Diamond Standard, where users opt-in via frontends or asset wrappers.
This mirrors DeFi's composability evolution. Just as Uniswap v3 and Curve pools exist simultaneously, future upgrades will be parallel deployments, with liquidity and usage determining the canonical version.
Evidence: The Cosmos SDK's chain upgrade module demonstrates a working model where validators coordinate to switch to a new, community-verified code hash without a centralized admin.
protocol-spotlight
BEYOND MULTISIGS
Protocol Spotlight: Early Experiments in Trust-Minimized Upgrades
Protocols are moving from centralized admin keys to on-chain governance and immutable logic, but the path to upgradeability without trust is still being paved.
01
The Problem: The Admin Key is a Single Point of Failure
A multisig-controlled proxy is the industry standard, but it's just a softer form of centralization. The upgrade process remains opaque, time-locked upgrades are often bypassed, and ~$2B+ in exploits have originated from compromised admin keys.
- Governance Capture Risk: A malicious proposal can be pushed through.
- Opaque Process: Users cannot verify the diff before execution.
- Technical Debt: Teams become permanent system administrators.
~$2B+
Key-Related Exploits
7/30
Avg. Days Delay
02
The Solution: Immutable Contracts with Modular Hooks
Instead of upgrading a monolith, design immutable core logic with plug-in architectures like Diamond Proxies (EIP-2535) or Hook-based systems. Upgrades become permissionless additions of new modules, not replacements of old code.
- Verifiable Logic: Users can audit a specific hook, not the entire system.
- Risk Containment: A buggy module can be deprecated without a catastrophic failure.
- Composability Boost: Enables Uniswap V4-style hooks for customized pool logic.
EIP-2535
Standard
100+
Live Diamonds
03
The Arbiter: On-Chain Proof Verification for Upgrades
Projects like Arbitrum's OneShot and Optimism's Security Council introduce a cryptoeconomic security layer. Upgrades must satisfy verifiable on-chain proofs (e.g., fraud proofs, formal verification checks) before execution, moving beyond social consensus.
- Trust-Minimized: Relies on code, not committee reputations.
- Transparent Rules: Upgrade conditions are programmatic and public.
- Precedent: Sets the stage for fully decentralized L2 sequencer upgrades.
6/8
Council Threshold
7 Days
Challenge Window
04
The Endgame: Immutable DAOs with Fork-Based Governance
The most radical approach: make the core protocol truly immutable. All changes happen via hard forks and token-voted social consensus, as pioneered by MakerDAO's Endgame Plan. This forces maximal transparency and aligns protocol evolution directly with stakeholder incentives.
- Eliminates Admin Risk: There is no upgrade key to compromise.
- Market-Driven: Users 'vote with their wallets' by choosing which fork to follow.
- High Coordination Cost: Requires robust off-chain governance like Governor Bravo.
0
Admin Keys
MKR
Pioneer
counter-argument
THE REALITY CHECK
Counter-Argument: The Inevitable Complexity Trade-Off
Permissionless upgrades introduce systemic complexity that challenges developer ergonomics and security guarantees.
Permissionless upgrades are not free. They shift complexity from governance to runtime, requiring developers to manage dependency graphs and version pinning for every integrated contract. This creates a combinatorial explosion of potential states.
The security model inverts. Instead of trusting a known DAO, users must trust the upgrade logic's immutability and the economic security of every permissionless actor. A bug in EIP-2535 Diamonds or a malicious module in a UUPS proxy becomes a systemic risk.
Evidence: The Ethereum Name Service (ENS) migration required a hard social consensus, not a code path, demonstrating that critical infrastructure resists purely technical upgradeability. Similarly, Compound's Governor Bravo upgrade required explicit DAO approval, not an automated trigger.
risk-analysis
PERMISSIONLESS UPGRADE PITFALLS
Risk Analysis: What Could Go Wrong?
Removing governance from contract upgrades introduces new, systemic risks that must be quantified.
01
The Governance Vacuum: Who Pulls The Emergency Brake?
Permissionless upgrades eliminate the centralized kill switch, creating a coordination nightmare during exploits. The time-to-response becomes the new critical metric, shifting risk to users and integrators.
- No Forced Pause: Malicious or buggy upgrades cannot be unilaterally halted.
- Race Conditions: Users must monitor and exit positions before others, creating panic-driven MEV.
- Liability Shift: Blame moves from a DAO treasury to individual users who 'chose' the faulty module.
0
Admin Keys
Minutes
Critical Response Window
02
Module Proliferation & Fragmentation
Without curation, the module registry becomes a swamp of unaudited, abandoned, or malicious code. Users face choice paralysis and integrators face combinatorial explosion in support requirements.
- Security Dilution: Auditing focus fragments across dozens of competing implementations.
- Front-end Complexity: Wallets and dashboards must display and explain dozens of upgrade options.
- Liquidity Fragmentation: Different user cohorts on different module versions can break protocol composability.
100+
Potential Modules
~5%
Audit Coverage
03
The Oracle Problem for Module Reputation
User safety depends on a reliable reputation system for modules—a decentralized Stargate or LayerZero for code quality. This creates a meta-game vulnerable to sybil attacks, bribery, and market manipulation.
- Reputation Capture: Well-funded teams can buy positive ratings to bootstrap adoption.
- Slow Consensus: A critical bug may only be flagged after significant TVL is lost.
- Centralization Pressure: The market will coalesce around 1-2 'trusted' reputation oracles, recreating central points of failure.
$1B+
TVL at Risk per Oracle
Sybil
Primary Attack Vector
04
Economic Abstraction Breaks Incentive Alignment
When users pay upgrade fees directly to module developers, core protocol tokenholders lose their revenue stream. This disintermediates the DAO, potentially starving it of funds for security audits, bug bounties, and long-term development.
- Tragedy of the Commons: No one funds the protocol's shared security layer.
- Race to the Bottom: Module developers compete on fee price, not security, squeezing audit budgets.
- Protocol Stagnation: Core innovation halts as talent and capital flock to module development.
-90%
DAO Fee Revenue
Short-term
Developer Incentive Horizon
future-outlook
THE PERMISSIONLESS STANDARD
Future Outlook: The 24-Month Migration
Smart contract upgrades will shift from centralized multisigs to permissionless, on-chain governance frameworks within two years.
Permissionless upgrades win. The current model of centralized multisig control creates a single point of failure and regulatory risk, as seen with Tornado Cash. Protocols like Optimism's Security Council and Arbitrum DAO are proving that on-chain governance for upgrades is viable and more secure.
The standard becomes EIP-2535. The technical foundation for this shift is the Diamond Standard (EIP-2535), which enables modular, upgradeable contracts without storage collisions. This allows for granular, permissionless updates to specific facets of a protocol, moving beyond monolithic proxy patterns.
Evidence: The migration is already underway. Aave's GHO stablecoin launched with a native, on-chain upgrade mechanism. Compound's Governor Bravo has executed numerous protocol upgrades via tokenholder vote, setting a precedent for major DeFi primitives.
takeaways
THE PERMISSIONLESS UPGRADE STACK
TL;DR: Key Takeaways for Builders
The era of admin keys and hard forks is over. The new stack is immutable, composable, and user-empowered.
01
The Problem: Admin Keys Are a $100B+ Single Point of Failure
Centralized upgradeability has led to catastrophic hacks and governance paralysis. Every protocol is one key compromise away from collapse.
- Key Risk: Admin keys control $10B+ TVL in major DeFi protocols.
- Key Benefit: Eliminates the single biggest attack vector in smart contract security.
$100B+
TVL at Risk
0
Admin Keys
02
The Solution: Immutable Proxies & Diamond Pattern
Decouple logic from storage. Use immutable proxy contracts (EIP-1967) or the Diamond Standard (EIP-2535) to enable modular, permissionless upgrades.
- Key Benefit: Users can trustlessly verify new logic before opting in.
- Key Benefit: Enables hot-swappable modules for features like new AMM curves or oracle adapters.
EIP-2535
Standard
100%
Uptime
03
The Mechanism: Fork & Migrate, Don't Upgrade
Let the market decide. Deploy new logic as a separate, immutable contract. Let users and liquidity migrate via incentives, not coercion. This is the Uniswap V2 to V3 model.
- Key Benefit: Creates a competitive landscape for implementations.
- Key Benefit: Provides a clear exit option for skeptical users, increasing base-layer trust.
Uniswap V3
Case Study
Market-Led
Adoption
04
The Enabler: On-Chain Attestation & Reputation Systems
Systems like Ethereum Attestation Service (EAS) and Karma3 Labs allow for trust-minimized signaling. New contract logic can be attested to by reputable entities before users opt-in.
- Key Benefit: Shifts security from blind trust to verifiable reputation.
- Key Benefit: Creates a permissionless audit marketplace for upgrade logic.
EAS
Primitive
Verifiable
Reputation
05
The User Experience: Intent-Based Upgrades & Safe{Wallet}
Users express intent (e.g., "use the safest version") and sign a message. Smart accounts like Safe{Wallet} execute the upgrade based on aggregated attestations, not a single admin key.
- Key Benefit: User sovereignty – no upgrade happens without consent.
- Key Benefit: Enables gasless, batched migrations for entire communities.
Safe{Wallet}
Smart Account
Intent-Based
Model
06
The Endgame: Autonomous Protocols & Code is Law
The final stage: protocols that cannot be changed, only improved upon via forking. This forces maximal rigor in initial design and creates credible neutrality. Think Bitcoin or MakerDAO's Endgame Plan.
- Key Benefit: Achieves ultimate credible neutrality and censorship resistance.
- Key Benefit: Aligns long-term incentives; value accrues to the immutable core.
Bitcoin
Blueprint
Credible
Neutrality
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall