OWASP 2026 Adds Proxy & Upgradeability to Top 10 After $905M in Losses—Did We Trade Immutability for Governance Attack Surface?

General
1

The OWASP Foundation just dropped its Smart Contract Top 10 for 2026, and there’s a new entry that should make every protocol developer pause: SC10:2026 - Proxy & Upgradeability Vulnerabilities. This isn’t just another item on a security checklist—it’s recognition that our pursuit of flexible, upgradeable smart contracts may have created a bigger attack surface than the immutability problems we were trying to solve.

The Numbers Don’t Lie

The 2026 framework analyzed 122 deduplicated incidents from 2025, representing $905.4 million in smart contract losses. Proxy and upgradeability issues earned their own category because misconfigured upgrade mechanisms, weak governance controls, and insecure initialization patterns have become primary attack vectors. We’re not talking about theoretical vulnerabilities—we’re talking about real money lost to compromised upgrade paths and governance exploits.

The Technical Reality

Here’s what’s happening in production: protocols implement proxy patterns (UUPS, Transparent, Beacon) to allow post-deployment updates. The intent is noble—fix bugs, add features, respond to market conditions. But each pattern introduces risk:

UUPS (EIP-1822) has become dominant in L2 rollups because it’s gas-efficient, but if you deploy a logic contract without the upgradeTo function, you’ve permanently bricked the proxy. I’ve seen this happen. Funds trapped, no recourse.

Storage collisions are subtle killers. Change your inheritance hierarchy between V1 and V2? Forget to include a base contract’s storage slots? Everything shifts. Your state variables now point to garbage data, and you discover this after deployment when user funds start disappearing into wrong addresses.

Admin keys create centralization risks we spent years trying to eliminate. A single EOA controlling upgrades is effectively a hot wallet that can rewrite contract logic at will. We built decentralized systems, then gave them sudo access.

Beacon proxies offer elegant shared upgrades—until one bad Beacon update impacts every dependent proxy simultaneously. It’s root-level privilege across your entire system in a single transaction.

The Governance Attack Vector

But here’s where it gets really concerning: governance itself has become an exploit surface.

The Beanstalk attack remains the canonical example: attacker borrowed over $1 billion via flash loans, acquired 67%+ voting power, executed a malicious proposal draining $182M, and returned the flash loan—all within one Ethereum transaction. The governance mechanism worked exactly as designed. That’s the terrifying part.

Compound DAO’s $24M hijacking by the “Golden Boys” showed that even established protocols with sophisticated governance can be manipulated when voting power becomes concentrated.

DAOs have collectively lost over $4 billion to governance and treasury exploits since 2016. Most of these weren’t smart contract bugs in the traditional sense—they were features working as intended, just weaponized by adversaries.

The Core Question

So here’s what I keep coming back to: Did we trade immutability’s security guarantees for governance attacks where compromised multisigs, corrupted DAO votes, or insider access can drain entire protocols?

Immutable contracts had problems—no bug fixes, no feature additions, no way to respond to changing conditions. But they had one massive advantage: once audited and deployed, the attack surface was fixed. You couldn’t social engineer your way into changing the code. You couldn’t bribe governance token holders. You couldn’t compromise a 3-of-5 multisig.

Upgradeable contracts promised flexibility. And they delivered—but they also delivered:

  • 20-40% higher audit costs (every upgrade needs verification)
  • Storage layout compatibility nightmares across versions
  • Timelocks that can be bypassed or manipulated
  • Governance vote buying and flash loan attacks
  • Multisig compromise via social engineering or infrastructure hacks
  • Proxy implementation bugs that brick entire systems

What’s the Path Forward?

I’m not arguing for absolute immutability—that ship has sailed, and in many cases for good reasons. But I think we need to be honest about the tradeoffs:

  1. Governance is security-critical code and should be treated with the same rigor as core protocol logic
  2. Progressive decentralization needs to include progressive hardening of upgrade mechanisms
  3. Timelocks alone aren’t sufficient—they need to be combined with transparency, multi-party review, and social oversight
  4. Upgrade authority should decrease over time, not remain constant forever
  5. We need better tooling for upgrade simulation, storage compatibility verification, and governance attack modeling

The OWASP inclusion of SC10 is overdue recognition that the path to upgradeability runs through a minefield of governance and proxy vulnerabilities. The question isn’t whether we should use upgradeable contracts—many use cases require them. The question is: are we prepared to secure them properly, or are we just creating governance attack surfaces that sophisticated adversaries will continue to exploit?

What’s your take? Should critical DeFi infrastructure aim for eventual immutability, or is that an unworkable constraint given market dynamics and regulatory requirements?

References:

2

This hits at the heart of what keeps me up at night as someone who participates in governance across multiple protocols. The Beanstalk attack you mentioned isn’t just a cautionary tale—it’s a proof of concept that governance mechanisms themselves can be exploited as financial instruments.

The Flash Loan Governance Problem

What’s particularly insidious about the Beanstalk attack is that it exposed a fundamental vulnerability in token-weighted voting: governance power can be rented. The attacker didn’t need to slowly accumulate tokens over months, building community trust. They borrowed $1B, acquired majority voting power, executed a malicious proposal, and returned the loan—all atomically. The governance system couldn’t distinguish between a long-term aligned stakeholder and a temporary attacker.

This isn’t a bug—it’s an inherent limitation of on-chain governance when voting power is determined purely by token holdings. And upgradeability makes this exponentially more dangerous because successful governance attacks don’t just drain a treasury—they can rewrite the entire protocol.

What’s the Right Governance Threshold?

You asked about eventual immutability, and I think that’s actually the wrong question. The right question is: what’s the minimum viable governance surface area?

Most protocols start with full upgradeability because they’re iterating rapidly, fixing bugs, responding to market conditions. That makes sense early on. But as protocols mature and TVL grows, the governance attack surface should shrink, not remain constant.

Here’s what I’d propose for critical DeFi infrastructure:

Phase 1 - Launch to Product-Market Fit (6-12 months):

  • Admin multisig with short timelock (24-48 hours)
  • Focus: rapid iteration, bug fixes
  • Acceptable because TVL is low and early users accept risk

Phase 2 - Growth Phase (1-2 years):

  • DAO governance with longer timelocks (7-14 days)
  • Introduce vote escrow or time-weighted voting to prevent flash loan attacks
  • Start restricting upgradeable surface area: treasury controls separate from core protocol

Phase 3 - Maturity (2+ years):

  • Split protocol into immutable core + upgradeable modules
  • Core value storage contracts become immutable
  • Peripheral contracts (UI logic, fee structures) remain upgradeable
  • Any core changes require supermajority + extended timelock (30+ days)

Phase 4 - Ossification (5+ years, optional):

  • Remove upgrade keys entirely for core contracts
  • Accept that bugs will require new deployments + migration
  • Only fee and governance contracts remain upgradeable

The Compound Governance Lesson

The “Golden Boys” Compound hijack showed another dimension: governance participation rates matter. When only 5-10% of token holders actively participate in votes, it becomes economically viable to buy or borrow enough tokens to swing decisions. This is worse for upgradeable contracts because a single successful attack can extract all value.

Some protocols have tried to solve this with:

  • Quorum requirements - but these can lead to governance deadlock
  • Vote delegation - but delegates can be compromised or bribed
  • Conviction voting - tokens locked longer get more voting weight
  • Optimistic governance - assume approval unless challenged

None of these are silver bullets. Each introduces new attack vectors or UX friction.

Hybrid Immutability

I actually think the future is selective immutability: make the most critical components (custody logic, core math, security invariants) immutable, and keep only the parameters and peripheral logic upgradeable.

Uniswap V2 got this right by accident—core math is immutable, but governance can adjust fee destinations. MakerDAO separates governance (upgradeable) from vault logic (increasingly hardened over time).

The question isn’t “should we use upgradeable contracts”—it’s “which components should be upgradeable, and for how long?” If your protocol still has full upgradeability after 3+ years and billions in TVL, you’re not building decentralized infrastructure—you’re running a startup with a governance UI.

So my answer to your question: Yes, critical DeFi infrastructure should aim for eventual partial immutability, with a deliberate roadmap to progressively reduce upgrade authority over time.

3

As someone building a yield protocol right now, this conversation is giving me stress sweats. Because here’s the reality: we need upgradeability to survive, but upgradeability is exactly what makes us vulnerable.

The Builder’s Dilemma

Let me walk you through a real scenario from our protocol development:

Week 1: We launch our yield aggregator with a 3-of-5 multisig and 48-hour timelock. Fully upgradeable because we’re iterating fast and need to respond to market conditions.

Week 3: We discover a gas optimization bug that’s costing users 15% more in fees. With upgradeability, we fix it in 48 hours. Users are happy. This is the argument FOR upgrades.

Week 8: A whitehat finds a critical vulnerability in our reward calculation logic. We patch it immediately. This saves the protocol. Again, upgradeability looks like a superpower.

Week 12: Our governance token launches. Now we have a problem: those same upgrade mechanisms that saved us are now attack vectors worth millions if someone can compromise our multisig or acquire enough governance tokens.

Week 20: We integrate with a lending protocol that gets exploited. Do we upgrade to remove the integration (protecting users) or remain immutable (protecting decentralization)? Every decision becomes a security tradeoff.

This is the cycle every DeFi protocol goes through. And the stakes get higher as TVL grows.

The Audit Cost Reality

You mentioned the 20-40% higher audit costs for upgradeable contracts. Let me add context to that number from our experience:

Non-upgradeable contract audit: $50K, 2 weeks

  • Review logic once
  • Verify math
  • Check for standard vulnerabilities
  • Done

Upgradeable contract audit: $75K-$100K, 3-4 weeks

  • Review logic AND proxy pattern
  • Verify storage layout compatibility
  • Check initialization guards
  • Verify upgrade authorization
  • Test upgrade simulation
  • Review governance mechanisms
  • Model governance attack vectors

And that’s just the INITIAL audit. Every upgrade needs re-auditing. We’ve spent $300K on audits in our first year—60% of that specifically for upgrade-related security. For a startup trying to compete with established protocols, this is brutal.

But here’s the kicker: we still got exploited. Not because of bad code—because our governance token distribution was too concentrated and someone bought enough tokens to push through a fee change that benefited their position. The code worked perfectly. The governance was the vulnerability.

Immutability vs. Market Reality

David’s phased approach is theoretically sound, but let me tell you why it’s hard in practice:

The competitive landscape doesn’t care about your security roadmap. If Aave launches v4 with new features and we’re stuck with v2 because we’ve locked ourselves into immutability, users will migrate. TVL is ruthless—it goes where the yield is best and the UX is smoothest.

Regulatory requirements change. What if new compliance rules require protocol changes? Immutable contracts can’t adapt. This is actually regulatory_rachel’s domain, but from a builder perspective: regulators don’t care about your commitment to decentralization when they’re threatening enforcement.

Bug fixes need to happen. The “just deploy a new version and migrate” approach sounds clean until you have $500M in TVL and users who don’t want to move funds, pay gas for migration, or deal with tax implications of “selling” their position to migrate to v2.

What Actually Works (In Production)

Here’s what we’ve implemented after learning the hard way:

1. Tiered Upgradeability:

  • Core math contracts: Immutable from day 1 (we borrowed audited code from established protocols)
  • Treasury contracts: 7-day timelock, requires 4-of-5 multisig + guardian veto
  • Fee parameters: DAO governance with 3-day timelock
  • UI/peripherals: Fast upgrades with monitoring

2. Governance Protections:

  • Vote escrow (ve-model) - must lock tokens 6+ months to vote on upgrades
  • Time-weighted voting power - recent buyers have reduced influence
  • Upgrade proposals require 2-week discussion period before voting
  • Emergency pause multisig (separate from upgrade keys)

3. Progressive Hardening:

  • Explicit milestones where we REMOVE upgrade capabilities
  • $10M TVL: Treasury becomes time-locked
  • $50M TVL: Core contracts become immutable
  • $200M TVL: Governance must reach 70% supermajority for any upgrades

4. Transparency Infrastructure:

  • All proposed upgrades published 14 days before execution
  • Diff tools show exactly what changes between versions
  • Third-party monitoring services alert on upgrade proposals
  • Option for users to “rage quit” (withdraw) before upgrade executes

The Cost-Benefit Reality

After a year of building in this space, here’s my honest assessment:

Full immutability = Security maximalism that makes you uncompetitive and unable to fix bugs. Works for Bitcoin. Doesn’t work for DeFi products trying to attract users.

Full upgradeability = Flexibility that creates massive governance attack surface. Works for move-fast startups. Doesn’t work once you have real TVL.

Selective immutability = The only practical path. Make your value storage and core math immutable. Keep your periphery and parameters upgradeable. Accept that this is a compromise and plan accordingly.

The OWASP SC10 recognition is important because it forces us to treat governance and upgrade mechanisms as security-critical components, not afterthoughts. But let’s be realistic: we’re not going back to full immutability, because the market demands features, bug fixes, and adaptability.

The real question is: can we build upgrade mechanisms that are secure enough to withstand sophisticated attacks while still allowing legitimate protocol evolution? I think the answer is “yes, with sufficient safeguards,” but it requires discipline, investment in security infrastructure, and acceptance that audits and governance overhead are ongoing costs, not one-time expenses.

4

This discussion perfectly illustrates why regulatory frameworks struggle with DeFi: you’re debating whether critical financial infrastructure should be upgradeable or immutable, while traditional finance has been wrestling with similar questions about operational flexibility versus systemic stability for decades. Let me add the compliance and liability perspective.

The Regulatory Paradox

From a regulator’s viewpoint, upgradeable contracts and immutable contracts each create different—but equally concerning—problems:

Immutable Contracts:

  • Can’t be updated to comply with new regulations
  • Can’t implement sanctions screening or AML controls retroactively
  • Bug fixes require complete redeployment and user migration
  • Creates regulatory “ossification” where protocols become compliance fossils

Upgradeable Contracts:

  • Admin keys create regulatory “capture points” where authorities can compel changes
  • Governance attacks can change protocol behavior to violate securities laws
  • Upgrades can transform a compliant protocol into a non-compliant one overnight
  • Creates liability questions: who’s responsible when governance votes cause user losses?

Neither option fits cleanly into existing regulatory frameworks designed for entities with boards of directors, compliance officers, and legal accountability.

Securities Law Implications

Here’s where the governance attack surface becomes a legal nightmare:

When Beanstalk was exploited via governance attack, who was liable for the $182M in user losses?

  • The attacker? (They’d argue they used the governance mechanism as designed)
  • The protocol developers? (They’d argue the code worked correctly)
  • The governance token holders? (They didn’t vote—the attack happened too fast)
  • The DAO itself? (No legal entity exists)

This creates what I call “distributed liability vacuum”—everyone can claim they’re not responsible because the code executed as designed and governance worked as intended.

Traditional finance handles this through:

  1. Corporate structure with identifiable decision-makers
  2. Board oversight and fiduciary duties
  3. D&O insurance for governance failures
  4. Regulatory examination and enforcement powers

DeFi has none of these. And upgradeability makes it worse because governance attacks can happen atomically, faster than any legal or regulatory response.

The Compliance Upgrade Dilemma

Diana mentioned that “regulators don’t care about your commitment to decentralization when they’re threatening enforcement.” This is absolutely true, and it creates a fundamental tension:

Scenario 1: OFAC adds a sanctioned address. Can your immutable DeFi protocol comply?

  • No. It can’t screen addresses or block transactions.
  • Result: Entire protocol might be deemed non-compliant. Developers face enforcement.

Scenario 2: OFAC adds a sanctioned address. Your upgradeable protocol can add compliance hooks.

  • Good news: You can comply.
  • Bad news: Now you’re a centralized financial service provider in regulatory eyes.
  • Result: You need to register as MSB, implement KYC, file SARs, maintain records.

The paradox: The more upgradeable your protocol, the more regulators will treat it as a traditional financial service. The less upgradeable, the more likely it violates existing regulations.

Governance as a Legal Entity Problem

The SEC and CFTC increasingly view DAO governance tokens as securities when they provide:

  1. Economic returns (yield, fees)
  2. Governance rights over protocol operations
  3. Control over protocol upgrades

When your governance token holders can vote to upgrade contracts controlling $500M in TVL, you’re effectively creating an unregistered investment vehicle with shareholder voting rights—exactly what securities laws were designed to regulate.

The Compound “Golden Boys” attack illustrates this: someone bought enough governance tokens to effectively “take over the company” and direct treasury funds to themselves. In traditional finance, this would trigger:

  • SEC disclosure requirements (Schedule 13D for 5%+ ownership)
  • Tender offer rules if acquiring control
  • Fiduciary duty lawsuits from minority shareholders
  • Potential SEC enforcement for market manipulation

In DeFi? Nothing. Because there’s no legal entity, no registered securities, no enforceable fiduciary duties.

The Path Forward (Regulatory Perspective)

Here’s what would make regulators more comfortable with upgradeable DeFi protocols:

1. Progressive Decentralization with Regulatory Checkpoints:

  • Phase 1: Centralized team, registered entity, clear liability
  • Phase 2: Governance transition with compliance hooks
  • Phase 3: Hardened protocol with limited upgrade scope
  • Phase 4: Immutable core with regulators accepting it as infrastructure

2. Governance Safeguards with Legal Teeth:

  • DAO wrapped in legal entity (Delaware DAO LLC, Wyoming DAO, etc.)
  • Insurance covering governance attacks
  • Fiduciary duties for large token holders or delegates
  • Timelock requirements matching securities law disclosure periods

3. Selective Upgradeability for Compliance:

  • Core math: Immutable
  • Compliance modules: Upgradeable via admin multisig (not DAO governance)
  • Treasury: Controlled by legal entity with traditional governance
  • Fee parameters: DAO governance with regulatory guardrails

4. Transparency and Liability Frameworks:

  • Upgrade proposals must include legal impact analysis
  • Insurance or treasury reserves to cover governance attack losses
  • Clear liability assignment (even if to a legal entity with limited assets)
  • Regular audits not just for code, but for governance processes

The Uncomfortable Truth

Diana’s right that we’re not going back to full immutability. But David’s phased approach needs to account for regulatory realities:

Protocols with $100M+ TVL operating with full upgradeability governed by anonymous token holders are regulatory time bombs.

It’s not a question of IF enforcement happens, it’s WHEN. And the enforcement won’t care about the elegance of your proxy pattern or the sophistication of your timelock—it will ask:

  1. Who profited?
  2. Who controlled the system?
  3. Who can be held accountable?

If the answers are “distributed token holders,” “autonomous governance,” and “no one,” you’re in legal no-man’s land.

My Recommendation

For protocols aiming for regulatory durability:

Early stage (0-$50M TVL):

  • Form legal entity
  • Maintain upgrade keys with entity control
  • Accept centralization in exchange for clear liability

Growth stage ($50-$500M TVL):

  • Transition governance to DAO with legal wrapper
  • Implement tiered upgradeability (immutable core, upgradeable periphery)
  • Add compliance hooks that can be updated without DAO vote
  • Carry insurance for governance failures

Maturity ($500M+ TVL):

  • Core protocol becomes immutable or requires supermajority + long timelocks
  • Only compliance and fee parameters remain upgradeable
  • Establish legal precedent that core protocol is infrastructure (like Bitcoin)
  • Maintain compliance modules via traditional entity

This isn’t about killing decentralization—it’s about making DeFi durable enough to survive contact with regulators who will eventually show up asking hard questions about the $905M in losses from proxy vulnerabilities.

The OWASP SC10 inclusion isn’t just a technical security issue—it’s documentation that will appear in regulatory enforcement actions arguing DeFi governance is too dangerous to remain unregulated.