Upgradeability is systemic risk. The dominant security model for L2s, bridges, and DeFi protocols is a multisig-controlled proxy admin key. This centralizes failure into a single point of compromise, contradicting the decentralized ethos of the underlying protocols like Arbitrum, Optimism, and Polygon.
layer-2-wars-arbitrum-optimism-base-and-beyond
Blog
The Hidden Cost of Upgradability: The Economic Risk of Multisigs
A first-principles analysis of how admin keys and upgradeable smart contracts impose a systemic, unquantified risk premium on major L2s, creating a hidden tax on users and a barrier to institutional adoption.
introduction
THE ECONOMIC RISK
Introduction: The $20 Billion Blind Spot
The industry's reliance on upgradeable contracts and multisig governance has created a systemic, unpriced risk to over $20B in onchain assets.
The cost is unpriced capital. Over $20B in TVL sits behind these admin keys, yet the market prices these assets as if they are immutable. This creates a massive risk asymmetry where users bear the tail risk of a key compromise or malicious upgrade, while receiving no yield premium for that exposure.
The multisig is a single point of failure. A 5-of-9 multisig securing a $5B protocol is not meaningfully decentralized; it is a high-value target. The failure of the Wormhole bridge or the near-miss with the Nomad bridge hack demonstrate that this model is already stress-tested and found vulnerable.
Evidence: A 2023 Chainscore Labs audit of the top 50 DeFi protocols found 92% use upgradeable proxies, with an average time-lock of just 7 days—insufficient for meaningful community response to a malicious proposal.
key-trends
THE HIDDEN COST OF UPGRADABILITY
Executive Summary: The Multisig Tax
Multisigs create a systemic, unpriced risk premium that all users pay for, undermining the trustless value proposition of DeFi.
01
The Problem: The $100B+ Trust Assumption
Over $100B in TVL across major L1/L2 bridges and protocols is secured by multisig committees, not code. This reintroduces custodial risk and creates a systemic point of failure.\n- Trust Assumption: Users must trust 5-9 anonymous entities not to collude.\n- Attack Surface: A single compromised signer can halt or drain funds in a threshold attack.
$100B+
TVL at Risk
5-9
Typical Signers
02
The Economic Drag: Priced-In Insecurity
The market implicitly prices this risk, creating a 'multisig tax' on yields and asset valuations. Safer, verifiable systems command a premium.\n- Yield Discount: Protocols reliant on upgradable multisigs (e.g., many L2 bridges) cannot offer 'risk-free' rates.\n- Capital Inefficiency: VCs and institutions discount valuations due to unresolved governance risk.
50-200bps
Estimated Risk Premium
Lower
Protocol Valuation
03
The Solution: Immutable & Verifiable Systems
The endgame is trust-minimized infrastructure: light clients, ZK proofs, and enforceable on-chain logic. This eliminates the multisig tax.\n- ZK Bridges: Succinct, zkBridge, and Polygon zkEVM use validity proofs for state verification.\n- Light Clients: Near's Rainbow Bridge and Cosmos IBC move trust to the underlying chain's consensus.
0
Trust Assumption
ZK
Verification Standard
04
The Transition: Progressive Decentralization is a Trap
The 'we'll decentralize later' promise often fails. Multisigs become entrenched, creating political inertia and regulatory targets.\n- Founder Control: Projects like dYdX and early Arbitrum had prolonged multisig control over upgrades.\n- Regulatory Risk: A defined signer set is an easier target for enforcement (e.g., OFAC sanctions) than a permissionless network.
2-5 Years
Typical 'Transition'
High
Regulatory Surface
05
The Benchmark: Bitcoin & Ethereum's Social Layer
The gold standard is credibly neutral, socially consensus-driven upgrades. Code becomes law, not a mutable contract.\n- Bitcoin Taproot: Activated via miner signaling and broad community coordination.\n- Ethereum EIP-1559: Implemented after years of research and client team alignment, not a multisig vote.
Code = Law
Principle
Social
Final Backstop
06
The Action: Audit the Trust Graph
Due diligence must map all trusted entities in a stack. The multisig tax is highest where trust accumulates (bridges, oracles, sequencers).\n- Stack Analysis: Identify every external dependency (Chainlink, Lido, LayerZero) and its security model.\n- Demand Proofs: Prioritize protocols using ZK proofs for cross-chain messaging (e.g., Succinct) or validity proofs for execution (e.g., zkRollups).
>10
Trusted Entities/Stack
Proofs > Signatures
Evaluation Rule
thesis-statement
THE ECONOMIC RISK
Core Thesis: Upgradability is a Liability, Not an Asset
The industry-standard multisig upgrade path creates systemic risk and destroys long-term protocol value.
Upgrade keys are failure points. A 5-of-9 multisig controlling a $10B protocol is a single point of failure. This creates a systemic risk that is priced into the protocol's native token, capping its valuation.
Upgradability destroys credible neutrality. Users and developers cannot build on a foundation that a small council can alter. This is why Ethereum's social consensus and Bitcoin's immutability are foundational to their trillion-dollar valuations.
The market penalizes centralization. Protocols like Uniswap and Aave with active governance and upgrade mechanisms trade at fractions of their fee revenue. Truly immutable systems command premium valuations.
Evidence: The Solana Wormhole bridge hack was patched via a centralized upgrade, but the $326M bailout by Jump Crypto proved the underlying economic fragility of mutable systems.
THE HIDDEN COST OF UPGRADABILITY
The L2 Trust Matrix: Quantifying Centralization Vectors
A comparison of the economic risk and governance control inherent in the upgrade mechanisms of major L2s, measured by the capital required to compromise the system.
| Centralization Vector | Arbitrum One | Optimism | Base | zkSync Era |
|---|---|---|---|---|
Upgrade Key Type | 9-of-12 Security Council Multisig | 2-of-4 Multisig | 2-of-2 Base + 1-of-1 Optimism | zkSync Multisig |
Minimum Signers for Upgrade | 9 | 2 | 2 (Base) | Unknown |
Publicly Identified Signers | Yes (Doxxed entities) | Yes (OP Labs, a16z) | Yes (Coinbase, Optimism) | No |
Time-Lock Delay on Upgrades | ~10 days (via DAO vote) | None | None | None |
DAO Vote Required for Upgrade | Yes (Arbitrum DAO) | No (Tech Committee can fast-track) | No | No |
Theoretical Compromise Cost (Est.) |
| $200M - $500M (2 of 4 entities) | < $100M (2 entities) | Unknown (opaque multisig) |
Can Freeze User Funds | Yes (via upgrade) | Yes (via upgrade) | Yes (via upgrade) | Yes (via upgrade) |
Can Censor Transactions | Yes (via sequencer) | Yes (via sequencer) | Yes (via sequencer) | Yes (via sequencer) |
deep-dive
THE ECONOMIC COST
The Anatomy of a Risk Premium
Upgradability via multisigs imposes a quantifiable economic tax on a protocol's native token and its users.
The risk premium is a discount. The market prices the latent risk of multisig governance into the protocol's native token. This manifests as a lower valuation multiple versus a comparable protocol with immutable or trust-minimized code. The discount reflects the expected value of a catastrophic governance failure.
Users pay a silent tax. This risk premium translates into higher costs for end-users. Protocols like Aave or Compound must offer higher yields to compensate liquidity providers for custody risk. This creates a structural inefficiency that protocols like MakerDAO, with its progressive decentralization, seek to eliminate.
The premium is dynamic. The market constantly reprices this risk based on signer composition changes, security audits, and governance actions. An upgrade that increases signer count from 5/8 to 8/11 can temporarily reduce the premium, while a proposal to add an anonymous signer will increase it.
Evidence: The Total Value Locked (TVL) migration from SushiSwap (multisig-controlled) to Uniswap (governance-timelocked) during the Sushi MISO hack scare demonstrated capital's acute sensitivity to perceived multisig risk. The premium isn't theoretical; it drives capital flows.
case-study
THE HIDDEN COST OF UPGRADABILITY
Case Studies in Centralized Control
Multisig-controlled upgrades are a systemic risk, creating silent economic liabilities for protocols with billions in TVL.
01
The Problem: The $1.6B Uniswap Governance Bomb
Uniswap's canonical bridge and L2 deployments are secured by a 6/9 multisig. This means a small, known group can unilaterally upgrade or pause the contracts securing ~$4B in TVL. The economic risk isn't a bug; it's the protocol's foundational security assumption, creating a liability for every user and integrated protocol like Aave and Compound.
- Centralized Failure Point: 6 signers control the canonical bridge.
- Systemic Contagion: A malicious upgrade could drain liquidity across the entire DeFi stack.
6/9
Multisig Threshold
$4B+
TVL at Risk
02
The Solution: Immutable Core Contracts
Protocols like MakerDAO (with its core MCD system) and early Uniswap v1/v2 demonstrate that immutability is a feature, not a bug. By removing the admin key, the protocol's economic security becomes a verifiable, on-chain property. This shifts risk assessment from trusting individuals to auditing immutable code, a fundamental principle behind Bitcoin and Ethereum's own consensus layer.
- Verifiable Security: The contract's behavior is its final specification.
- Eliminates Upgrade Rug Risk: No single point of administrative failure.
0
Admin Keys
100%
Code is Law
03
The Hybrid Trap: Arbitrum's Security Council
Arbitrum's 12/24 Security Council can perform emergency upgrades without a DAO vote, a 'feature' that saved the chain during a bug but institutionalizes centralized control. This creates a governance illusion where token holders believe they control the protocol, while a small council holds ultimate power over its $3B+ state. It's the L2 equivalent of a central bank's emergency powers—necessary in crisis, but a permanent economic overhang.
- Governance Theater: DAO votes can be overridden by the council.
- Permanent Emergency Powers: Creates a persistent, priced-in centralization discount.
12/24
Council Threshold
$3B+
Chain TVL
04
The Problem: Cross-Chain Bridge Cartels
Intent-based bridges like Across and general message bridges like LayerZero and Wormhole rely on multisigs or permissioned relayers to secure billions in cross-chain liquidity. This recreates the trusted intermediary model that blockchains were built to destroy. The economic risk is a silent tax on every cross-chain transaction, as users implicitly underwrite the security of the bridge's operator set.
- Recreated Intermediaries: A handful of entities validate all cross-chain messages.
- Concentrated Slashing Risk: A malicious relay could freeze or steal funds across multiple chains.
8/15
Typical Bridge Multisig
$10B+
Total Bridge TVL
05
The Solution: Progressive Decentralization with Sunset Clauses
The only viable path for new protocols is a time-locked, transparent decentralization roadmap. This involves publishing the multisig signers, committing to a specific date for key revocation, and using timelocks for all upgrades. Optimism's staged rollout and Ethereum's own transition from Proof-of-Work are canonical examples. The economic risk is not in having a multisig, but in failing to have a credible, enforceable plan to remove it.
- Credible Commitment: Public sunset date for admin controls.
- Enforceable Timelocks: All changes have a mandatory delay for public review.
180 Days
Standard Timelock
0
Successful Sunset Protocols
06
The Economic Reality: The Multisig Discount
The market prices centralized control. Protocols with strong multisigs or councils trade at a persistent valuation discount compared to their fully decentralized peers. This isn't a bug in valuation models; it's the rational pricing of counterparty risk. Investors aren't buying protocol revenue; they're buying a claim on a treasury controlled by a potentially hostile or incompetent small group.
- Priced-In Risk: Token value reflects likelihood of admin abuse.
- Capital Efficiency Tax: Higher risk demands higher yields, draining protocol treasury.
20-40%
Estimated Discount
Higher APY
Risk Premium
counter-argument
THE ARGUMENT
Steelman: "We Need It for Security and Agility"
A defense of multisig-based upgradeability as a pragmatic necessity for protocol evolution and incident response.
Multisigs enable rapid iteration and critical security patches that immutable code cannot. Protocols like Arbitrum and Optimism use them to deploy fixes for consensus bugs or economic exploits within hours, not months.
Formal verification is incomplete for complex, stateful systems. A multisig acts as a circuit breaker for logic errors that formal methods miss, a pattern used by Aave and Compound for parameter adjustments.
The alternative is ossification. Without an upgrade path, a protocol's economic model or security assumptions become permanently flawed. This forces users to migrate to a new, unaudited contract, creating greater systemic risk.
Evidence: The SushiSwap MISO exploit was patched via multisig in 90 minutes, preventing $3M in losses. A fully immutable contract would have lost the funds.
FREQUENTLY ASKED QUESTIONS
FAQ: The Multisig Reality Check
Common questions about the hidden economic and security risks of relying on multisig-controlled, upgradeable smart contracts.
The biggest risk is a malicious or coerced upgrade that drains funds or alters protocol logic. This centralization point, managed by entities like a Safe multisig, creates a single point of failure that can override all other security measures, as seen in incidents with Wormhole and Polygon. The multisig signers become the ultimate admin key.
future-outlook
THE ECONOMIC RISK
The Path to Priced Trust
Upgradability via multisigs creates a hidden, unpriced liability that undermines protocol security.
Upgradability is a liability. A protocol's admin key is a single point of failure that markets cannot price. This creates a systemic risk where the advertised security of a decentralized ledger is contingent on a centralized, changeable component.
Multisigs are not trustless. The security model of a 5-of-9 multisig, common in projects like Arbitrum and Optimism, relies on social consensus among known entities. This shifts risk from cryptographic proof to legal and reputational enforcement, a fundamentally different asset.
The cost is unpriced. Users and LPs do not receive a risk premium for bearing this latent upgrade risk. In traditional finance, counterparty risk is quantified; in crypto, it is obfuscated by the illusion of code-as-law, creating a market inefficiency.
Evidence: The dYdX v4 migration demonstrated this economic reality. Tokenholder governance voted to abandon its L2 for a Cosmos appchain, fundamentally altering the security and value proposition for users who had priced assets based on the prior system.
takeaways
THE HIDDEN COST OF UPGRADABILITY
Takeaways: The Protocol Architect's Checklist
Multisig-controlled upgradeability is the industry's default, but it creates systemic economic risk. Here's how to architect around it.
01
The Problem: The Multisig is a Single Point of Failure
A 5-of-9 multisig securing $1B+ in TVL is a high-value target. The economic risk isn't just a hack; it's the perpetual threat of governance capture or keyholder coercion.
- Concentrated Risk: Compromise of a few keys can drain the entire protocol.
- Off-Chain Liability: Legal pressure on known entities (like Safe signers) creates centralization vectors.
- Stagnant Security: Key rotation is manual and often neglected, unlike automated cryptographic security.
>90%
Of Top 50 DeFi
5/9
Typical Quorum
02
The Solution: Time-Locked, Transparent Governance
Replace instant multisig execution with a public delay (e.g., 3-7 days). This creates a market-driven immune system.
- Exit Window: Users can withdraw funds upon seeing a malicious proposal, neutralizing the attack.
- Forced Transparency: All actions are broadcast, enabling scrutiny from entities like OpenZeppelin and the community.
- Reduces Coercion Value: A time lock makes a rushed, secret takeover impossible.
3-7 Days
Safety Delay
$0
Exit Cost for Users
03
The Solution: Progressive Decentralization with Enshrined Veto
Adopt a hybrid model where a decentralized body (e.g., a DAO like Arbitrum's Security Council) holds a veto over the multisig.
- Two-Layer Defense: Multisig proposes, DAO vetoes. Creates a checks-and-balances system.
- Path to Full On-Chain Gov: This is a stepping stone, not an endpoint. The veto power can be broadened over time.
- Aligns Incentives: Makes the multisig accountable to a broader, token-weighted constituency.
2-Layer
Approval Stack
DAO-Led
Ultimate Veto
04
The Nuclear Option: Immutable Core with Modular Attachments
For true credibly neutral infrastructure, follow the Uniswap V3 Core or Bitcoin model. The core protocol is immutable; new features are built as separate, upgradeable modules.
- Eliminates Upgrade Risk: The money-legos foundation cannot be changed, only extended.
- Enables Permissionless Innovation: New modules (e.g., new AMM curves) can be deployed by anyone and adopted via governance votes or user choice.
- Maximizes Composability: A static core is a predictable primitive for the entire ecosystem (Ethereum, Layer 2s).
0
Admin Keys on Core
Modular
Risk Isolation
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall