OWASP Just Added Proxy & Upgradeability as SC10 - Are We Building Blockchains or Centralized Databases?

General
1

OWASP just released their 2026 Smart Contract Top 10, and there’s a critical new addition that should make everyone in Web3 pause: SC10 - Proxy & Upgradeability Vulnerabilities. This isn’t just another security category—it’s recognition that one of our industry’s most common patterns has become one of our most severe attack vectors.

The Paradox We’ve Been Ignoring

Blockchain’s core promise is immutability. Code is law. Trust the contract, not the intermediary. Yet the OWASP Foundation identified proxy and upgradeability mechanisms as an entirely new emerging risk for 2026, signaling that insecure upgrade patterns and weak governance over contract upgrades have escalated from edge cases to systemic threats.

Here’s the uncomfortable question: If admin keys can upgrade contracts at will, are we building immutable systems or just centralized databases with extra steps?

What Changed in 2026?

The OWASP Top 10 methodology is forward-looking—rankings derive from security incidents and survey data collected during 2025 to forecast the most significant risks ahead. The addition of SC10 wasn’t arbitrary. According to recent research, analysis of 37 upgrade-related attacks demonstrates the magnitude: seven incidents involved losses exceeding $10 million, with two catastrophic cases surpassing $100 million each.

SC10 now ranks alongside established categories like Access Control Vulnerabilities (SC01) and Reentrancy Attacks (SC08). This elevation reflects a harsh reality: upgradeable contracts have transitioned from optional feature to critical infrastructure—and paradoxically, to one of the ecosystem’s most exploitable weaknesses.

The Technical Attack Surface

Proxy patterns introduce unique vulnerabilities that automated security tools consistently miss:

Storage Collisions: When proxy contracts delegate execution to implementation contracts, improper slot alignment can cause state variables to overwrite each other. Protocols governing $50M+ in TVL have been identified with storage collision risks that passed initial audits.

UUPS “Bricking” Risk: In the UUPS (Universal Upgradeable Proxy Standard) pattern, if an upgrade deploys logic lacking the upgradeTo() function, the proxy becomes permanently immutable. Worse: if the new logic is flawed, funds can be trapped forever since the mechanism to perform subsequent upgrades is lost.

Admin Key Vulnerabilities: The most dangerous pattern remains distressingly common—a single externally-owned account (EOA) controlling upgrade rights. That private key is effectively a “hot wallet” with god-mode privileges: whoever controls it can rewrite contract logic arbitrarily, regardless of what the code promised users.

Beacon Proxy Shared Risk: Beacon proxy architectures amplify risk exponentially. One compromised Beacon upgrade affects every proxy contract that depends on it. The Beacon admin wields root-level privileges across an entire system of contracts.

Real Exploits That Should Terrify You

These aren’t theoretical vulnerabilities:

  • UPCX (~$70M, 2025): Attackers compromised a privileged key, performed malicious contract upgrade via ProxyAdmin, then executed admin withdrawal functions to drain management accounts.

  • PAID Network ($3M, March 2021): Admin private key stolen. Attacker upgraded PAID token contract to include functions that minted unlimited tokens and burned tokens from legitimate holders.

  • Ankr (~$5M, 2022): Deployer key compromised. Attacker upgraded Ankr’s staking token implementation, inserting a mint function that created 6 quadrillion tokens.

Notice the pattern? The vulnerability isn’t in Solidity. It’s in the keys.

The Governance Gap

Access control and governance misconfigurations continue to drive full protocol compromise. The 2026 OWASP report explicitly notes that several major incidents stemmed not from cryptographic flaws, but from:

  • Exposed admin roles
  • Upgrade key mismanagement
  • Insufficient privilege separation

Proxy patterns provide an extra layer of complexity to smart contract design. With each upgrade, complexity increases, making contracts harder to audit and therefore more vulnerable. The irony is brutal: we add upgradeability to fix bugs, but the upgrade mechanism itself becomes the biggest bug.

So What Do We Do?

Mitigations exist but require discipline:

  1. Never use single EOA admin keys. Multi-signature wallets are non-negotiable.
  2. Enforce timelocks on all upgrades. 48-72 hours minimum gives users exit time.
  3. Rigorous DAO governance for upgrade decisions. Centralized teams making upgrade calls defeats the purpose.
  4. Comprehensive testing of upgrade paths. Test bricking scenarios, storage collisions, authorization bypasses.
  5. Consider immutability as a feature. Not every contract needs upgradeability. Core financial logic should arguably be immutable.

The Philosophical Question

I keep returning to this: blockchain promised trustless systems. “Don’t trust, verify” is the mantra. But upgradeable contracts require trusting whoever holds the admin keys—today, tomorrow, after they get phished, after they turn malicious, after they get pressured by regulators.

Progressive decentralization argues you start centralized for agility, then add governance over time. But how many projects actually follow through? And is “decentralized governance of upgrades” still decentralization, or just democracy theatre over fundamentally mutable code?

OWASP’s decision to elevate proxy vulnerabilities to SC10 status isn’t just a technical update. It’s an industry admission: we’ve been building on a philosophical contradiction, and attackers are exploiting it for nine-figure sums.

Trust but verify, then verify again. Especially the upgrade keys.

References:

2

You’ve captured the paradox perfectly, Brian. As someone who audits smart contracts daily, I see this tension constantly: upgradeability is both our safety net and our biggest vulnerability.

The Developer’s Dilemma

Here’s the uncomfortable truth from the dev side: bugs happen. I’ve never seen a complex protocol launch without needing at least one post-deployment fix. The question isn’t whether you’ll need to upgrade—it’s how you handle it when you do.

Immutability sounds great in theory. In practice? I’ve watched protocols choose between:

  1. Losing $50M in a known exploit because the contract can’t be upgraded
  2. Having upgrade keys that could theoretically be compromised for $50M

Neither option is good. But option 1 is guaranteed loss. Option 2 is potential loss. That’s why upgradeability exists.

The Solution Isn’t Elimination—It’s Better Governance

The OWASP SC10 addition doesn’t mean we should abandon upgradeability. It means we need to stop treating it like an afterthought.

Here are the non-negotiables I recommend to every project:

1. Multi-Sig Wallets for Admin (Never Single EOA)

If I audit your code and see address owner controlling upgradeTo(), you’re getting a critical finding. Minimum viable security is 3/5 multisig with geographically distributed signers who don’t all work for the same company.

2. Timelocks on Upgrades (48-72 Hour Minimum)

Users need exit liquidity if they don’t trust the upgrade. 48 hours gives whales time to exit, but retail? They’re not monitoring Discord 24/7. I’d argue 72 hours is better, though protocols resist because “it slows us down.”

Well, yeah. That’s the point. :shield:

3. UUPS Over Transparent Proxy (When Possible)

UUPS (EIP-1822) puts upgrade logic in the implementation contract, not the proxy. This:

  • Saves gas on every delegatecall
  • Makes upgrade authorization explicit in code
  • Reduces attack surface (no separate ProxyAdmin contract)

But it requires discipline. If you deploy an implementation without upgradeTo(), you’ve bricked the contract. Test your upgrade paths!

4. Storage Layout Testing

Storage collisions are silent killers. They pass Slither, pass Mythril, pass manual review—then corrupt state during an upgrade. Use Foundry’s invariant testing to verify storage layout compatibility between versions.

contract UpgradeStorageTest is Test {
    function invariant_storageLayout() public {
        // Verify V2 storage extends V1 without conflicts
    }
}

The Education Gap

The real issue? Most developers don’t understand these risks.

I’ve reviewed codebases where:

  • Junior devs copied OpenZeppelin’s proxy patterns without reading the security docs
  • Teams deployed upgradeable contracts “just in case” without any governance plan
  • Projects used Transparent Proxy because it was the first example in the tutorial

The OWASP Top 10 elevation is a wake-up call. Upgradeability isn’t a npm package you import and forget about. It’s a massive responsibility that requires:

  • Clear governance documentation
  • Tested upgrade procedures
  • Community transparency
  • Emergency response plans

Immutability as a Feature?

Your point about core financial logic being immutable resonates. I’m starting to see hybrid architectures:

  • Immutable core: Token contracts, vault logic, core math
  • Upgradeable periphery: Fee structures, UI hooks, integrations

Projects like Uniswap V3 do this well—the core pools are immutable, but governance can deploy new pool implementations without forcing migrations.

Bottom Line

Security first, optimization second. Test twice, deploy once.

The OWASP SC10 category isn’t saying “don’t use upgradeability.” It’s saying “if you do, get it right—because attackers have figured out how to exploit governance gaps for nine-figure sums.”

Every bug is a learning opportunity. Unfortunately, these bugs are learning opportunities that cost millions.

3

Brian, Sarah—both excellent points. But let me add the DeFi yield strategist’s perspective: most users have zero idea they’re taking on upgrade risk when they farm.

The Hidden Risk Premium

When I deploy capital to a yield farm, I’m pricing in:

  • Smart contract risk (code bugs)
  • Liquidity risk (can I exit?)
  • Market risk (IL, token volatility)
  • Protocol risk (governance attacks, economic exploits)

But here’s what I wasn’t pricing in until recently: Admin key upgrade risk.

Why? Because it’s invisible. There’s no “This Protocol Has Single EOA Admin Key” warning when you connect your wallet. You have to:

  1. Find the contract address
  2. Read the contract on Etherscan/explorer
  3. Identify if it’s a proxy
  4. Find the ProxyAdmin or UUPS upgrade function
  5. Check who controls it (EOA? Multisig? Timelock?)
  6. If multisig, verify the signers
  7. If timelock, check the delay duration

How many farmers actually do this? Maybe 1%.

The Timelock Illusion

Sarah mentioned 48-72 hour timelocks as minimum viable security. I agree in theory. In practice? There’s a massive asymmetry:

Whales with $10M positions:

  • Monitoring Discord, Twitter, governance forums 24/7
  • Have automated alerts for protocol changes
  • Can exit $10M in minutes (assuming liquidity)

Retail with $5K positions:

  • Maybe check the app once a week
  • Don’t follow governance channels
  • Might not even see the upgrade announcement
  • Can’t afford gas fees to move positions frequently

So a 48-hour timelock gives institutional players exit liquidity while retail gets rugged by code changes they never saw coming.

Protocols I Actually Trust (And Why)

I run a yield optimization bot that analyzes over 200 DeFi protocols. Here’s my internal “Upgrade Risk Score” criteria:

Tier 1 (Minimal Upgrade Risk):

  • Immutable core contracts (Uniswap V3 pools)
  • Or: 6/9 multisig + 72-hour timelock + public governance process
  • Examples: MakerDAO, Compound (most modules)

Tier 2 (Acceptable Risk):

  • 3/5 multisig + 48-hour timelock + transparent signers
  • Documented upgrade procedures
  • Historical evidence of community consultation
  • Examples: Aave (most markets), Curve (some pools)

Tier 3 (High Upgrade Risk):

  • 2/3 multisig (too centralized)
  • Timelock < 24 hours (insufficient exit window)
  • Anonymous signers
  • No public upgrade process

Tier 4 (Unacceptable):

  • Single EOA admin
  • No timelock
  • Upgradeable with no governance docs

Guess how many DeFi protocols fall into Tier 3 or Tier 4? Over 60%.

The Data Nobody Tracks

Here’s what I wish existed but doesn’t:

DeFi Upgrade Risk Dashboard:

  • Protocol name
  • Upgrade capability (Yes/No/Partial)
  • Admin type (EOA/Multisig/DAO/Timelock/Immutable)
  • Multisig composition (if applicable)
  • Timelock duration
  • Last upgrade date
  • Historical upgrade frequency

I’m building this into my yield optimization tool because I got tired of manually auditing governance structures. If a protocol has single-admin upgrade keys, my bot won’t deploy capital there—no matter how attractive the APY.

The Uncomfortable Truth

Brian asked: “Are we building immutable systems or centralized databases?”

From the yield farming trenches, the answer is clear: We’re building centralized databases with blockchain UX and crypto incentives.

Because if an admin can:

  • Upgrade the contract to mint unlimited tokens
  • Change fee structures without warning
  • Redirect funds to different addresses
  • Pause deposits/withdrawals indefinitely

…then it doesn’t matter that the database is distributed across 10,000 nodes. One private key still controls everything.

My Proposal: Upgrade Risk Score Standard

What if we standardized upgrade risk scoring the way we standardize credit ratings?

  • AAA: Immutable or DAO + 7-day timelock
  • AA: 5/7+ multisig + 72-hour timelock
  • A: 3/5 multisig + 48-hour timelock
  • BBB: 2/3 multisig + 24-hour timelock
  • Junk: Single admin, no timelock, or anonymous governance

Protocols could display their score. Aggregators could filter by minimum rating. Users could make informed decisions instead of gambling blind.

The OWASP SC10 category proves upgrade vulnerabilities are systemic. Now we need systematic ways to measure and mitigate them.

Until then, I’m sticking to Tier 1 protocols—even if the yields are lower. Because 8% APY with immutable contracts beats 80% APY with a single-admin upgrade key that could rug me tomorrow.

4

Diana’s point about the invisible risk premium hits hard. As someone who’s spent the last three years deep in DAO governance, I want to add: the problem isn’t technical, it’s social coordination.

Technical Decentralization ≠ Governance Decentralization

You can have:

  • Immutable code on a distributed network (technical decentralization)
  • With a 3/5 multisig where all 5 signers work for the same company (governance centralization)

Or:

  • Upgradeable proxy contracts (technical centralization potential)
  • With robust DAO governance requiring 7-day voting + quorum (governance decentralization)

Which is more decentralized? I’d argue the second—because code mutability with community consent is more aligned with decentralization principles than immutability controlled by a small team’s initial decisions.

The Questions Nobody Asks

When evaluating upgrade governance, most people check “Is there a multisig?” and stop there. But that’s like checking “Does the company have a board of directors?” without asking who’s on it.

The real questions:

1. Who Actually Controls the Multisig?

  • 3/5 multisig where all 5 are co-founders = not decentralized
  • 3/5 multisig where signers are: founder, VC, exchange, core dev, community rep = slightly better
  • 5/9 multisig with geographically distributed, publicly known, independently elected community members = actual decentralization

2. What’s the Emergency Response Procedure?

  • Can the multisig upgrade immediately if there’s an active exploit?
  • Who decides what constitutes an “emergency”?
  • How do you balance security response speed with governance legitimacy?

3. How Does the Community Vote on Upgrades?

  • Is there a formal proposal process? (MakerDAO’s MIP framework)
  • What’s the quorum requirement?
  • Can token whales unilaterally approve upgrades?
  • Are there any checks on governance attacks?

4. What Happens When Governance Disagrees?

  • If 40% of tokenholders oppose an upgrade, does it still proceed?
  • Is there a fork option for dissenting users?
  • Can users opt out while keeping their positions?

Real Examples: The Good, The Bad, The Ugly

The Good: MakerDAO

MakerDAO’s upgrade process for core contracts:

  1. Formal MIP (Maker Improvement Proposal) submitted
  2. Minimum 2-week discussion period
  3. Signal request vote (governance polling)
  4. Executive vote with DSChief contract (requires majority of MKR)
  5. 48-hour GSM (Governance Security Module) delay
  6. During delay, MKR holders can trigger Emergency Shutdown if upgrade is malicious

This is heavyweight, slow, bureaucratic—and it works. MakerDAO has managed $6B+ TVL for years without governance-related exploits.

The Bad: “Community DAO” Theater

I’ve seen projects that claim “DAO governance” where:

  • Token is concentrated (top 10 addresses hold 80%)
  • Multisig signers are all team members
  • “Community votes” happen in Discord with no on-chain verification
  • Team can upgrade anytime with ⅔ multisig, “governance vote” is just polling

This isn’t decentralized governance. It’s centralized control with extra steps and a governance token that provides plausible deniability.

The Ugly: Tornado Cash Governance Attack

May 2023: Attacker gained control of Tornado Cash governance by:

  1. Acquiring enough TORN tokens for proposal quorum
  2. Submitting malicious proposal with fake code
  3. Using flash-loaned TORN to vote it through
  4. Upgrading contracts to drain treasury

This wasn’t a smart contract bug. It was a governance vulnerability—because governance IS the admin key in a DAO, and if governance can be captured, the whole system fails.

Progressive Decentralization: Promise vs. Reality

Sarah mentioned hybrid architectures (immutable core, upgradeable periphery). I’d extend this to progressive decentralization timelines:

Phase 1 (Launch): Training Wheels

  • 2/3 multisig (founders + trusted advisors)
  • 24-hour timelock
  • Team can upgrade for bug fixes
  • Transparent upgrade log
  • Commitment to Phase 2 timeline

Phase 2 (6-12 months): Community Involvement

  • 4/7 multisig (founders + community reps)
  • 72-hour timelock
  • Community advisory votes on upgrades
  • Emergency response procedures published

Phase 3 (18-24 months): Full Decentralization

  • DAO governance contract controls upgrades
  • 7-day voting period + quorum
  • Time-delayed execution
  • Option to make core contracts immutable

Phase 4 (Eventual): Ossification

  • Remove upgrade keys entirely for core logic
  • Lock governance to simple parameter changes
  • Protocol becomes infrastructure

How many projects actually progress through these phases? Maybe 10%. Most get stuck in “Phase 1 forever” because decentralizing control is hard, and teams don’t want to give up upgrade privileges.

The Philosophical Tension

Brian raised this: “Is decentralized governance of upgrades still decentralization?”

My take: Decentralization is a spectrum, not a binary. The question isn’t “Is this perfectly decentralized?” (nothing is). It’s “Is control distributed enough that no single party can unilaterally compromise the system?”

If a 2/3 multisig can upgrade anytime = centralization
If a DAO with 10,000 token holders needs 7-day vote + quorum = decentralized enough

The key insight: Upgradeability isn’t inherently centralization—it’s a tool. Governance determines whether that tool serves users or exploits them.

What We Need

  1. Governance Transparency Standards: Every protocol should publish:

    • Who controls upgrade keys
    • What’s the upgrade process
    • Historical upgrade log
    • Emergency procedures

  2. Better Governance Tooling: We need:

    • On-chain voting with privacy (prevent vote buying)
    • Delegation with revocability
    • Quadratic voting to limit whale influence
    • Sybil-resistant identity

  3. Community Education: Users need to understand:

    • A 3/5 multisig isn’t automatically safe
    • Governance tokens aren’t just investment vehicles—they’re security mechanisms
    • Participating in governance isn’t optional if you want decentralization

Final Thought

The OWASP SC10 category proves that upgrade mechanisms are attack vectors. But the solution isn’t eliminating upgrades—it’s building governance systems worthy of the power they wield.

Code is law. But in upgradeable systems, community is constitution.

And if the constitution is controlled by 3 guys with a multisig who’ve never held a public governance vote? That’s not DeFi. That’s just a startup with blockchain aesthetics.

Governance is a marathon, not a sprint. :ballot_box_with_ballot:

5

This entire thread is technical gold, but I keep thinking about one thing: None of this matters if users don’t know it exists.

The Transparency Crisis

I manage products at a Web3 sustainability protocol. Last month, I ran a user research session with 50 active DeFi users (not developers—actual users who farm, stake, provide liquidity). I asked:

“Do you know if the protocols you use have upgradeable contracts?”

  • 8% said “Yes, I check this”
  • 12% said “I’ve heard of this but don’t know how to verify”
  • 80% said “What does that mean?”

Then I showed them how to find contract upgrade mechanisms. Their reactions:

“Wait, so the team can just change the code after I’ve deposited?”
“Why doesn’t the app tell me this?”
“I thought blockchain meant nobody could change things?”

We have a massive gap between what developers know and what users understand.

Where’s the Warning Label?

When you buy packaged food, there’s a nutrition label showing ingredients, calories, allergens. Regulations require this because consumers deserve informed decisions.

When you deposit $10K into a DeFi protocol, there’s… a “Connect Wallet” button. No warnings. No disclosure. No transparency about:

  • Whether contracts are upgradeable
  • Who controls the upgrade keys
  • What the upgrade process is
  • When the last upgrade happened

How is this acceptable?

Proposal: Contract Transparency Labels

What if every DeFi protocol displayed a standardized “Contract Info” panel that shows:

:locked: Contract Security Profile

Upgradeability: Yes / No / Partial

  • If Yes: Who controls upgrades?
  • Governance type: EOA / Multisig (X/Y) / DAO / Timelock (X hours)
  • Last upgrade: [Date] | View history

Audit Status: Audited / Not Audited / Partially Audited

  • Auditor(s): [Names]
  • Audit date: [Date]
  • Audit report: [Link]
  • Code changes since audit: Yes / No

Governance Transparency: High / Medium / Low

  • Multisig signers: Public / Private
  • Upgrade process: Documented / Undocumented
  • Community voting: Yes / No

This could be:

  1. A standardized component that protocols embed in their UI
  2. A browser extension that injects this info automatically
  3. An aggregator API that frontends can query

User Impact Metrics We Should Track

From a product perspective, I want to know:

Awareness:

  • What % of users check contract upgrade status before depositing?
  • How many understand what “3/5 multisig” means?
  • Do users know they can monitor governance proposals?

Behavior:

  • Do users exit positions when upgrades are announced?
  • Does timelock duration affect user retention?
  • What upgrade risk level do users tolerate for what yield premium?

Outcomes:

  • What % of users have been affected by malicious upgrades?
  • How much capital has been lost to upgrade-related exploits?
  • Are users pricing upgrade risk into their decisions?

I’d bet less than 1% of users actively consider upgrade risk. Not because they don’t care—because the information isn’t accessible in their workflow.

The Environmental Angle

Here’s something nobody talks about: energy efficiency implications of upgrade governance.

When a protocol gets audited, that costs:

  • Auditor time (human resources)
  • Energy for testing/verification
  • Community review effort
  • Documentation updates

If the contract is immutable post-audit, that energy investment is permanent—the security work protects users forever.

If an admin can upgrade the contract without re-audit? All that security work becomes obsolete. The energy spent verifying safe code was wasted because new code replaced it.

From a sustainability perspective, this is like:

  • Building energy-efficient infrastructure, but leaving a backdoor for anyone to swap in inefficient systems later
  • Growing organic food, then allowing pesticide injection post-harvest

If Web3 claims to care about sustainability (carbon-neutral protocols, green mining, etc.), we should care about governance sustainability too—not wasting community resources on security theater that admin keys can bypass.

Real Solutions Need UX

David’s progressive decentralization phases are great in theory. In practice, users need to SEE the progression:

Phase 1 UI Warning:

:warning: This protocol uses centralized upgrade controls (2/3 multisig). The team can modify contract logic. Progressive decentralization is planned for Q3 2026. [Learn More]

Phase 2 UI Update:

:classical_building: This protocol is partially decentralized. Upgrades require 72-hour timelock + community advisory vote. Full DAO governance planned for Q1 2027. [View Roadmap]

Phase 3 UI Badge:

:white_check_mark: This protocol is DAO-governed. Upgrades require 7-day community vote with 10% quorum. [View Governance]

Phase 4 UI Badge:

:locked: Core contracts are immutable. Only peripheral features can be updated via DAO governance. [View Architecture]

Users won’t read governance docs. But they WILL notice UI badges and warnings.

What Good Looks Like

Some projects are getting this right:

Uniswap: Core pools are immutable. UI clearly separates V2 (immutable) vs V3 (immutable pools, governance-controlled factory).

Compound: Transparent timelock (48 hours). Governance proposals are public. UI shows active proposals. You can exit if you disagree.

Aave: Clear documentation of governance process. Multisig composition is public. Historical upgrades are logged.

But these are the exceptions. Most protocols hide governance details deep in docs that 99% of users never read.

My Ask to Developers

If you’re building a DeFi protocol with upgradeable contracts, please:

  1. Disclose upgrade mechanisms in your UI. Not in docs—in the actual app interface.
  2. Notify users before upgrades. Email, push notifications, in-app banners—make it impossible to miss.
  3. Provide historical upgrade logs. Let users see what changed, when, and why.
  4. Test your governance UX. Can a non-technical user understand who controls upgrades? If not, simplify.
  5. Measure transparency metrics. Track how many users actually understand your governance model.

Bottom Line

Sarah’s right that upgradeability is necessary for bug fixes. Diana’s right that it’s a hidden risk premium. David’s right that governance quality matters more than upgrade capability.

But all of that is meaningless if users don’t know any of it exists.

The OWASP SC10 category is a wake-up call for security researchers. Now we need a wake-up call for product teams: transparency is a feature, not a nice-to-have.

If your protocol can be upgraded, tell your users. Show them who controls the keys. Make governance visible. Give them time to exit if they disagree.

Anything less isn’t building for users—it’s building for plausible deniability when the next $100M upgrade exploit happens.

Build products that create measurable benefit, not just extractable value. :seedling: