Account Abstraction's Trojan Horse: When Your 'Self-Custodied' Wallet Has an Upgrade Key—And You're Not Holding It

General
1

The promise of Account Abstraction sounded revolutionary: crypto wallets with the UX of Venmo, no more seed phrase anxiety, gasless transactions that “just work.” Since ERC-4337 launched in March 2023, over 40 million smart contract wallets have been deployed across Ethereum and L2 networks—nearly 20 million in 2024 alone. The ecosystem celebrated this as the breakthrough that would finally bring crypto to the masses.

But there’s a critical detail buried in the technical specifications that most users never see: most AA wallets are upgradeable via proxy patterns. This means the wallet’s logic can be changed post-deployment—usually by a multisig or DAO that controls the upgrade mechanism.

The OWASP 2026 Warning Signal

OWASP’s Smart Contract Top 10: 2026 just added “Proxy & Upgradeability” as the #10 vulnerability category, documenting $905 million lost across 122 incidents in 2025. The report explicitly calls out re-initialization attacks and storage slot collisions in upgradeable contracts.

When I audit AA wallet implementations, I now ask three questions that most users never consider:

  1. Who controls the upgrade keys? Is it a 3-of-5 multisig? A DAO with unknown token distribution? The wallet provider’s internal team?

  2. What’s the upgrade timelock? Can changes be pushed instantly, or is there a 48-hour window where users could withdraw funds if they detect a malicious upgrade?

  3. Is there an immutable option? Can users opt for a non-upgradeable wallet deployment if they’re willing to trade convenience for true self-custody?

The Uncomfortable Question

Here’s the philosophical paradox: If a group of strangers (even well-intentioned ones) can modify your wallet’s code via an upgrade transaction, are you really holding your own keys? Or have we just recreated traditional banking’s trust model with extra steps and higher gas fees?

I’m not saying upgradeability is inherently malicious. Bug fixes and security patches are legitimate use cases—we’ve seen critical vulnerabilities discovered post-deployment that required emergency upgrades. But the smart contract security community has learned (the hard way, to the tune of billions in exploits) that every privilege is a potential attack vector.

Real Attack Scenarios

Let me walk through three realistic scenarios that keep me up at night:

Scenario 1: Governance Capture
A DAO controls the upgrade multisig. An attacker accumulates governance tokens, proposes an “optimization” upgrade, and gets it passed during a holiday weekend when participation is low. The upgrade contains a hidden function that drains all wallets to the attacker’s address. By the time anyone notices, it’s too late.

Scenario 2: Insider Threat
The wallet provider’s upgrade multisig is compromised—either through social engineering, a disgruntled employee, or a supply chain attack on the hardware wallets holding the keys. The attackers push a malicious upgrade disguised as a “gas optimization patch.”

Scenario 3: Accidental Bricking
The development team discovers a critical security vulnerability and rushes to deploy a fix. Due to a storage layout error (remember those storage slot collisions?), the upgrade inadvertently corrupts wallet state for 30% of users, making their funds permanently inaccessible.

What We Should Demand

The AA ecosystem needs to mature beyond “trust us, we’re the good guys”:

  • Mandatory transparency: Every AA wallet should clearly disclose its upgrade mechanism in the UI, not buried in documentation
  • Immutable options: Providers should offer immutable wallet deployments for users who prioritize security over convenience
  • Upgrade notifications: Users must be notified before upgrades execute, with clear explanations of changes
  • Time-locked upgrades: Minimum 48-72 hour timelocks should be standard, giving users time to exit if they disagree with changes
  • Formal verification: Upgrade logic should undergo formal verification to prevent storage corruption and privilege escalation

The Bigger Picture

I’m a huge proponent of improving crypto UX. Seed phrases are genuinely terrible for mass adoption. But we can’t solve UX problems by recreating the trust assumptions we’re trying to escape.

ERC-4337 and Account Abstraction represent genuine innovation. But the current implementation path—defaulting to upgradeable proxies with opaque governance—feels like we’re trading “not your keys, not your coins” for “not your upgrade keys, not really your wallet.”

Security is not a feature we can patch in later. It’s an architectural decision we make at the foundation. And right now, the foundation of most AA wallets includes a trapdoor with a key held by others.

Trust but verify, then verify again.

What are your thoughts? Am I being overly paranoid, or is the upgradeable wallet model a fundamental compromise of self-custody principles?

2

Sophia raises critical security concerns that every AA wallet developer needs to take seriously. But I want to add some nuance to the upgradeability discussion, because I think the answer isn’t “never upgrade” but rather “upgrade responsibly with user consent.”

Upgradeability Isn’t Inherently Evil

Let me share a real scenario from my auditing work: Last year, I discovered a critical reentrancy vulnerability in a popular DeFi protocol’s smart account implementation. The bug would have allowed attackers to drain user funds through a callback exploit. Because the wallet was upgradeable with a 48-hour timelock, the team patched it before any funds were lost.

If those wallets had been immutable, users would have faced two terrible choices:

  1. Keep using vulnerable wallets and hope nobody finds the exploit
  2. Migrate to new wallet addresses, losing social recovery guardians, session keys, and on-chain reputation

This isn’t hypothetical—we’ve seen immutable DeFi protocols get exploited because critical bugs couldn’t be patched.

The Hardware Wallet Comparison

Think about hardware wallets. Your Ledger or Trezor has upgradeable firmware. You trust the manufacturer to push security updates. The difference is transparency: you can choose not to update, review firmware changes on GitHub, and the update requires physical confirmation on your device.

AA wallets should adopt similar patterns:

  • Transparent upgrade mechanisms: GitHub diffs of implementation changes
  • User confirmation required: Upgrades don’t execute unless you explicitly approve for your specific wallet instance
  • Opt-out capability: Users can “freeze” their wallet implementation if they want immutability

Time-Locked Upgrades Are Critical

I completely agree with Sophia on timelocks. Every production AA wallet should have minimum 48-72 hour delays between upgrade proposal and execution. This gives users time to:

  • Review proposed changes
  • Ask security researchers to analyze the new implementation
  • Exit to a different wallet if they don’t trust the upgrade

The “emergency upgrade” pattern—where multisigs can bypass timelocks—should only exist for proven critical vulnerabilities, with public incident reports explaining why.

What Users Need to Understand

Here’s what I tell non-technical friends when they ask about smart wallets:

Upgradeable wallets are like renting an apartment: The landlord (wallet provider) can make changes to the building, but good landlords give you notice and transparency. You can move out if you don’t like the changes.

Immutable wallets are like owning a house: Nobody can change it but you, but if the foundation has cracks, you’re stuck fixing it yourself or moving.

Different users have different risk profiles. Power users who understand smart contracts might prefer immutable deployments. New users who need social recovery and gasless transactions might accept upgradeable implementations from trusted providers.

The Real Problem: Opaque Governance

The issue isn’t upgradeability itself—it’s opaque, unaccountable upgradeability. When I audit AA wallets, these are red flags:

:cross_mark: Upgrade multisig signers are anonymous
:cross_mark: No public documentation of upgrade process
:cross_mark: Zero timelock (instant upgrades)
:cross_mark: No way for users to opt out of upgrades
:cross_mark: Upgrade permissions aren’t clearly disclosed in the UI

Green flags look like:

:white_check_mark: Named, doxxed multisig signers with reputation at stake
:white_check_mark: Public GitHub repos with upgrade proposals and diffs
:white_check_mark: 72+ hour timelocks with emergency override procedures documented
:white_check_mark: Per-user upgrade opt-in (not automatic)
:white_check_mark: Wallet UI clearly states: “This wallet is upgradeable by [governance mechanism]”

A Proposal: Upgrade Transparency Standard

I’d love to see the AA ecosystem adopt something like an “Upgrade Transparency Standard” similar to the CER (Contract Event Registry) or security disclosure best practices:

Level 1 (Basic): Upgrade mechanism documented, timelock > 48 hours
Level 2 (Standard): Public GitHub repo, named signers, user notifications
Level 3 (Advanced): Per-user opt-in, formal verification of upgrades, third-party security reviews required

Wallets could display badges: “:green_circle: Level 3 Upgrade Transparency” to help users make informed decisions.

Final Thought

Sophia asked if she’s being overly paranoid. In smart contract security, paranoia is a feature, not a bug. But I think the solution isn’t to eliminate upgradeability—it’s to make it transparent, accountable, and user-controlled.

The AA wallet that figures out how to offer both upgrade flexibility AND user sovereignty will win the market. Because right now, we’re forcing users to choose between convenience and control. Good design should never require that tradeoff.