Upgradability creates a centralization vector. The entity controlling the upgrade key becomes a single point of failure and censorship, negating the self-custody promise of wallets like MetaMask or Rainbow.
wallet-wars-smart-accounts-vs-embedded-wallets
Blog
Why Most Smart Account Upgradability Designs Are Inherently Flawed
An analysis of how mutable logic and admin key dependencies in upgradeable smart accounts reintroduce centralization risks, creating a fundamental conflict with the promise of self-custody.
introduction
THE FLAWED FOUNDATION
Introduction
Smart account upgradability is a critical security failure point, not a feature, in most current implementations.
Social recovery is not a solution. Frameworks like ERC-4337 and Safe{Wallet} delegate security to a social graph, which is slow, unreliable, and vulnerable to coercion, unlike cryptographic proofs.
The industry standard is a time-lock. Protocols like Uniswap and Compound use enforced delays for governance upgrades, but this is a governance crutch, not a user-centric security model.
Evidence: Over $1B in assets are secured by Safe{Wallet} modules that a single malicious signer can upgrade, creating systemic risk that defies blockchain's trust-minimization ethos.
key-trends
THE UPGRADABILITY TRAP
Executive Summary
Smart account upgradability is a security-critical feature that most teams get wrong, creating systemic risks for users and protocols.
01
The Centralized Admin Key Problem
Most designs rely on a single admin key or multi-sig, creating a centralized failure point and violating the self-custody promise. This is a regression to web2 infrastructure.
- Single Point of Failure: A compromised admin key can upgrade all user accounts.
- Governance Paralysis: DAO-based upgrades are too slow for critical security patches.
- Vendor Lock-in: Users are trapped by the upgrade authority's policies and availability.
1
Failure Point
>24h
DAO Delay
02
The Immutable Logic Compromise
Fixing flaws in core account logic (like signature validation) requires a full migration, which is a UX nightmare and often results in abandoned, vulnerable wallets.
- Migration Friction: Users must manually move funds, a process with >30% drop-off.
- Fragmented State: Social recovery settings, session keys, and allowances don't transfer.
- Protocol Risk: DApps integrate with specific account addresses; a new address breaks everything.
30%+
User Drop-off
High
Integration Breakage
03
The Diamond Standard Fallacy
Using EIP-2535 (Diamonds) for modular upgrades introduces severe complexity and opaque security audits, making accounts less secure, not more.
- Un-auditable Complexity: A diamond's full logic is a dynamic mapping, not a single contract.
- Storage Collision Risks: Improperly managed facets can corrupt user data.
- Gas Inefficiency: Every external call adds overhead, making simple actions ~40k gas more expensive.
+40k
Gas Overhead
High
Audit Risk
04
Solution: Decentralized & User-Centric Upgrades
The correct model is a decentralized network of upgrade signers where the user is the ultimate authority, not a protocol admin. Think ERC-4337 bundler networks for account management.
- User Consent: Every upgrade requires a signature from the user's current key.
- Fallback Guardians: A decentralized set of entities (like Safe{Wallet}'s ecosystem) can propose critical fixes.
- Graceful Migration: New logic is attached as a module; the old address and state persist.
User
Final Authority
0%
Forced Migrations
05
Solution: Immutable Core, Modular Attachments
The account's core verification logic must be immutable for security. All upgrades happen via EIP-2535 Diamond-like modules that are added, not replaced, with strict, user-controlled permissions.
- Verification Immutability: The
validateUserOpfunction cannot be changed, preventing hijacks. - Module Marketplace: Users opt into new features (e.g., Biconomy's session keys, ZeroDev's passkeys) as attached modules.
- Clear Audit Trails: Each module has a standalone, verifiable security audit.
Immutable
Security Core
Modular
Feature Attachments
06
Solution: Social Recovery as the Upgrade Mechanism
The most secure upgrade path is through the account's own recovery mechanism. Changing logic requires the same consensus as changing ownership.
- Inherits Security: Leverages the battle-tested security of social recovery (e.g., Safe{Wallet}, Argent).
- No New Trust Assumptions: The same guardians that protect your assets approve upgrades.
- Universal Standard: Works for any account type, creating a unified upgrade UX across ERC-4337, Safe, and others.
Same
Trust Model
Universal
Protocol Standard
thesis-statement
THE TRUST TRAP
The Core Contradiction
Smart account upgradability designs create a fundamental conflict between user sovereignty and developer control.
Upgradability requires a trusted party. A smart account's logic must be mutable to fix bugs or add features. This mutability is controlled by an upgrade key, which becomes a centralized point of failure and trust.
The admin key is a honeypot. Whether held by a multi-sig like Safe or a DAO, this key is a perpetual target. Its existence contradicts the self-custody promise of wallets like MetaMask, creating systemic risk.
Time-locks are theater. Projects like Arbitrum use governance delays to simulate safety. This only mitigates blatant theft, not the slow, legal extraction of value or the freezing of assets, which protocols like Tornado Cash highlight as critical threats.
The industry standard is flawed. ERC-4337's Account Abstraction model externalizes this problem. The user's EntryPoint contract is upgradeable, shifting but not eliminating the trust assumption to infrastructure providers like Stackup or Alchemy.
SMART ACCOUNT ARCHITECTURE
Upgrade Mechanism Risk Matrix
Comparing the security and operational trade-offs of different smart account upgradeability designs. Most fail by centralizing trust or creating unacceptable attack surfaces.
| Critical Feature / Risk Vector | Monolithic Singleton (e.g., early Safe) | Modular EntryPoint Proxy (ERC-4337) | Immutable Kernel (Fully Verifiable) |
|---|---|---|---|
Upgrade Authorization | Single admin key | Decentralized governance (time-locked) | Not applicable |
Upgrade Scope | Full logic replacement | EntryPoint & validation logic only | None |
Time-to-Exploit Window | < 1 block | 7+ days (with timelock) | N/A |
User Opt-Out Capability | None (forced upgrade) | Yes (can reject new EntryPoint) | N/A |
Verification Complexity | O(1) - check single signature | O(n) - verify governance vote & timelock | O(1) - verify bytehash |
Historical Invariant Risk | High - past transactions can be invalidated | Medium - only future behavior changes | None |
Typical Gas Overhead per UserOp | < 5k gas | ~21k gas (validation + paymaster) | 0 gas |
Dominant Failure Mode | Admin key compromise | Governance attack or malicious proposal | Logic bug at deployment |
protocol-spotlight
THE UPGRADE TRAP
Case Studies in Compromise
Smart account upgradability is a security paradox: the mechanism that enables progress also creates the single greatest attack vector.
01
The Diamond Proxy Pattern (EIP-2535)
Modular but creates a monolithic, centralized upgrade key. The admin key is a single point of failure that compromises the entire account's security model.
- Facet Logic: Enables hot-swapping of account modules.
- Centralized Risk: Admin key controls all upgrades, creating a $10B+ TVL honeypot for social engineering.
- Audit Nightmare: Every upgrade requires re-auditing the entire diamond, not just the new facet.
1 Key
Single Point of Failure
100%
Total Control
02
The Social Recovery Fallacy
Delegates security to a social graph, trading cryptographic certainty for human reliability. This introduces coordination latency and social attack surfaces.
- Recovery Delay: Guardian consensus can take days, freezing funds during an emergency.
- Sybil Vulnerability: Guardians are often friends or centralized services, not cryptographically secure entities.
- Meta-Dependency: Shifts trust from code to off-chain social processes, the very problem crypto aims to solve.
~3-7 Days
Recovery Latency
High
Social Attack Surface
03
The Timelock Illusion
Adds a delay to malicious upgrades but fails against sophisticated attackers. It's a theatrical security measure that users ignore and attackers bypass.
- False Sense of Security: Users rarely monitor pending upgrades, making the timelock ineffective.
- Bypass via Social Engineering: Attackers combine timelock proposals with phishing to gain legitimacy.
- UX Friction: Legitimate upgrades are slowed, punishing honest developers and users.
48-168 Hrs
Typical Delay
Low
User Vigilance
04
Modular Monoliths (ERC-6900)
Standardizes module interfaces but inherits the proxy's centralization risk. The root validator or default handler becomes the new privileged singleton.
- Standardized Compromise: While interoperable, the architecture still requires a privileged entry point to authorize module execution.
- Complexity Explosion: Each new module expands the audit surface area multiplicatively.
- Bottlenecked Innovation: The root contract becomes a governance bottleneck, slowing protocol evolution.
1 Root
Privileged Validator
N²
Audit Complexity
05
The Multi-Sig Governance Trap
Replaces a single admin key with a committee, trading one central point for N central points. This increases coordination overhead without eliminating trust.
- Collusion Risk: M-of-N signers can still collude, a proven failure mode in DAOs like The DAO hack.
- Governance Paralysis: Legitimate upgrades get stuck in political deadlock.
- Key Management Hell: Now you have N sensitive private keys to manage and secure, not one.
M-of-N
Collusion Threshold
High
Coordination Cost
06
The Immutable Core with Plugins
The only viable path forward. An immutable account core with cryptographically permissioned plugin slots. Upgrades are module installations, not logic replacement.
- No Upgrade Key: The core logic is immutable; security is invariant.
- Plugin Sandboxing: Modules run in isolated environments with strict capability boundaries.
- User-Centric Auth: Users cryptographically sign to install new plugins, making each upgrade a user-initiated transaction, not an admin privilege.
0
Admin Keys
User-Signed
Per-Plugin Auth
deep-dive
THE ARCHITECTURAL FLAW
The Slippery Slope of Mutable Logic
Smart account upgradability, while convenient, reintroduces the centralized trust models that blockchains were built to eliminate.
Upgradability is a backdoor. The core promise of a smart contract wallet is user sovereignty, but a mutable logic contract controlled by a single admin key or multi-sig is functionally identical to a custodial wallet. This creates a single point of failure that defeats the purpose of self-custody.
Time-locks are theater. Projects like Safe{Wallet} implement upgrade delays to signal safety, but this is a social, not cryptographic, guarantee. A determined admin with key control can still force an upgrade, making the security model identical to a centralized exchange's hot wallet.
The industry standard is flawed. The dominant ERC-4337 standard for account abstraction deliberately excludes native upgrade logic, pushing it to the account level. This forces every implementation, from Biconomy to Stackup, to reinvent—and likely compromise—this critical security primitive, leading to fragmented risk.
Evidence: The $200M Parity wallet freeze was caused by a bug in a mutable, library-style contract. Modern proxy patterns used by most upgradeable contracts, including OpenZeppelin's implementations, retain this same architectural vulnerability where the proxy's admin can unilaterally redirect all logic.
counter-argument
THE ARCHITECTURAL FLAW
The Builder's Defense (And Why It's Wrong)
Smart account upgradability models that rely on centralized keys or committees reintroduce the single points of failure they were designed to eliminate.
Upgrade keys are backdoors. The dominant design for smart account upgradability uses a centralized admin key or multi-sig. This creates a centralized failure vector identical to a private key, negating the security premise of account abstraction.
Social recovery is a governance problem. Frameworks like EIP-4337 Bundlers and Safe{Wallet} modules delegate security to social consensus. This shifts risk from cryptographic failure to social engineering and governance attacks, a trade-off most users do not understand.
Time-locked upgrades are theater. A 7-day delay on upgrades, as seen in some ERC-4337 EntryPoint implementations, provides illusory safety. Sophisticated attackers exploit the delay to launch parallel governance attacks or social engineering campaigns to bypass it.
Evidence: The Poly Network hack exploited a centralized upgrade mechanism. In DeFi, MakerDAO's governance attacks demonstrate that social consensus is a brittle security layer for core financial infrastructure.
FREQUENTLY ASKED QUESTIONS
FAQ: Smart Account Security
Common questions about the inherent flaws in smart account upgradability designs.
The biggest flaw is centralized upgrade keys, which create a single point of failure. A compromised admin key for an ERC-4337 entry point or a Safe{Wallet} module can drain all linked accounts. True security requires decentralized governance or immutable timelocks.
takeaways
SMART ACCOUNT UPGRADABILITY
Architectural Imperatives
Most upgrade mechanisms for smart accounts introduce unacceptable security and operational risks. Here are the flawed patterns and the necessary fixes.
01
The Single-Point-of-Failure Proxy
The dominant EIP-1967/Transparent Proxy pattern centralizes control in a single admin key. This creates a catastrophic attack surface and forces a trust assumption on the user.
- Risk: A compromised admin key can upgrade the logic for all user accounts.
- Solution: Decentralize upgrade governance via multi-sigs, DAOs, or immutable timelocks.
1 Key
Failure Point
100%
Accounts at Risk
02
The Fragmented State Dilemma
Upgrading logic contracts can break existing user storage layouts, leading to permanent state corruption or requiring complex, error-prone migration scripts.
- Problem: Incompatible storage variables between logic versions brick accounts.
- Solution: Architect for eternal storage using unstructured patterns (EIP-2535 Diamonds) or immutable, versioned entry points.
~$2B+
TVL at Risk
Irreversible
Data Loss
03
The Gas Overhead Tax
Every proxy call adds ~2,700 gas for delegatecall overhead. For frequent, low-value operations, this tax can double transaction costs and degrade UX.
- Inefficiency: The upgradeability abstraction penalizes all users, even those not using new features.
- Fix: Use minimal proxies (EIP-1167) for factory-deployed accounts or accept immutable core logic with pluggable modules.
+2.7k Gas
Per Call
-50%
Efficiency Loss
04
The Social Consensus Illusion
Projects like Safe{Wallet} rely on off-chain multi-sig governance for upgrades. This shifts risk from code to human coordination, creating upgrade paralysis or rushed decisions.
- Reality: Achieving consensus for critical security patches is slow (>7 days).
- Imperative: Implement on-chain, permissioned timelocks with emergency override functions.
7+ Days
Upgrade Lag
$40B+
TVL Dependent
05
The Immutable Entry Point Mandate
ERC-4337's design fixes the entry point as immutable. This forces account innovation into modular validation logic, not core protocol changes.
- Why it Works: User security is anchored to a battle-tested, static contract.
- Result: Upgradability is pushed to the account level, isolating risk and enabling permissionless innovation.
0
Entry Point Upgrades
Unlimited
Account Innovation
06
The Module Registry Hazard
Pluggable module systems (like Safe Modules) introduce unchecked external dependencies. A malicious or buggy module can compromise the entire account.
- Vulnerability: Module approval is often a one-time, all-or-nothing permission grant.
- Solution: Implement scoped authorities and runtime validation hooks that limit a module's power to specific functions.
1 Approval
Total Access
High
Supply-Chain Risk
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall