The Security Cost of Upgradable Rollups

The dominant model where a 5/9 multisig controls upgrade keys. This is security theater, concentrating risk and creating systemic fragility.

• Vulnerability Window: A single exploit or social attack can compromise the entire chain.
• User Sovereignty: Zero. Users must trust the signers' integrity and operational security.
• Prevalence: Powers >80% of major L2s including early versions of Arbitrum and Optimism.

A delay (e.g., 7-14 days) is added before an upgrade executes. This is a transparency patch, not a security fix.

• The Reality: Users can't feasibly fork or exit in time. It's a theatrical delay that pressures them to accept the new code.
• False Security: Assumes users monitor and understand complex technical changes within the window.
• Adopters: Used by Arbitrum (now with Security Council) and zkSync Era.

Mechanisms like Arbitrum's 7-day challenge period or optimistic-style fraud-proof windows allow users to exit. The cost is immense.

• Capital Inefficiency: Requires weeks of locked capital to guarantee withdrawals, killing composability.
• Coordination Burden: Forces users to actively monitor and act, a burden shifted to them.
• Result: Creates systemic fragility during crises, as mass exits can trigger liquidity death spirals.

Shifts upgrade authority to a broad, token-governed DAO. This exchanges technical centralization for political centralization.

• New Attack Vector: Upgrades become subject to governance attacks (e.g., short-term vote buying).
• Slow Motion: Decision latency increases from minutes to weeks, hampering rapid response.
• Leading Example: Arbitrum Security Council, a hybrid model aiming to balance speed and decentralization.

A truly immutable rollup is the only cryptographically secure model, but it's a business non-starter for early-stage networks.

• Innovation Tax: Fixing bugs or integrating new tech (e.g., a new precompile) requires a full migration.
• Market Reality: No major L2 is immutable. The need for rapid iteration and VC ROI pressure makes it untenable.
• The Benchmark: Ethereum's slow, conservative upgrade process via social consensus is the closest proxy.

Every upgrade mechanism externalizes its security cost. Users pay via trust assumptions, capital lockups, or governance vigilance.

• The Trade-Off Matrix: You can have Speed, Security, or Decentralization—pick two for your upgrade path.
• The Endgame: Hybrid models (DAO + Council + Delay) are converging as the messy, pragmatic standard.
• The Only Fix: Full client diversity and minimal, verifiable diffs can reduce, but never eliminate, the cost.

Most rollups use a centralized multi-sig to control the upgrade contract, creating a catastrophic risk vector. A compromise here can rewrite all logic, drain bridges, or censor transactions.

• Attack Surface: A single governance exploit or key leak can compromise the entire chain.
• Time-Lock Theater: Many projects implement delays, but a malicious actor with the keys can often bypass them.
• Historical Precedent: The Nomad Bridge hack ($190M) was enabled by a flawed, upgradeable contract.

Upgrades can silently change the cryptographic verifier or data availability layer, invalidating all prior security assumptions. Users must perpetually trust the sequencer's honesty.

• Proof System Rot: A malicious upgrade could switch from a zk-SNARK to a broken prover, making fraud proofs useless.
• DA Substitution: Shifting from Ethereum calldata to a less secure data availability layer breaks the liveness guarantee.
• Verifier Exodus: This forces node operators to constantly monitor and potentially fork, fragmenting the network.

Rollup bridges and canonical messaging layers (like LayerZero, Axelar) are dependent on the rollup's state transition logic. A malicious upgrade can forge arbitrary withdrawal proofs.

• Cross-Chain Domino Effect: A compromised rollup can be used to mint infinite assets on connected chains.
• Oracle/AMB Reliance: Most bridges trust the rollup's upgradeable contracts, not its base security.
• Mitigation Gap: Solutions like EigenLayer's restaking or Across's guarded launch attempt to add friction but don't eliminate the root risk.

When a contentious or malicious upgrade occurs, the community must execute a social fork, abandoning the official chain. This is the nuclear option and highlights the failure of automated security.

• Coordination Cost: Requires mass user and validator action, akin to Ethereum's DAO fork but more frequent.
• Liquidity Fragmentation: Splits DeFi pools, oracle feeds, and bridge endpoints, destroying network effects.
• Ultimate Penalty: Proves the rollup was never credibly neutral or decentralized, damaging its core value proposition.

The security gold standard is an immutable or timelock-governed core protocol, as seen with Ethereum and Bitcoin. Upgrades must be opt-in for node operators, not forced.

• User-Enforced Security: Nodes can reject invalid blocks regardless of sequencer claims.
• Eliminates Admin Risk: No single entity can change the rules of the system post-deployment.
• Adoption Hurdle: This model sacrifices agility, creating a tension between security and feature velocity that most teams are unwilling to accept.

The pragmatic path is a clear, verifiable roadmap to remove upgrade keys, enforced by milestones and community tools. Arbitrum's security council election and Optimism's Citizen House are experiments in this direction.

• Transparent Roadmaps: Public timelines and verifiable code deletions for admin functions.
• Multi-Layer Governance: Splitting upgrade control between technical committees, token holders, and security councils.
• Failure State: If the roadmap is abandoned, the project should be reclassified as an L2 Appchain, not a sovereign rollup.