OWASP Just Added Proxy & Upgradeability as SC10 - Are We Building Blockchains or Centralized Databases?

General
5

This entire thread is technical gold, but I keep thinking about one thing: None of this matters if users don’t know it exists.

The Transparency Crisis

I manage products at a Web3 sustainability protocol. Last month, I ran a user research session with 50 active DeFi users (not developers—actual users who farm, stake, provide liquidity). I asked:

“Do you know if the protocols you use have upgradeable contracts?”

  • 8% said “Yes, I check this”
  • 12% said “I’ve heard of this but don’t know how to verify”
  • 80% said “What does that mean?”

Then I showed them how to find contract upgrade mechanisms. Their reactions:

“Wait, so the team can just change the code after I’ve deposited?”
“Why doesn’t the app tell me this?”
“I thought blockchain meant nobody could change things?”

We have a massive gap between what developers know and what users understand.

Where’s the Warning Label?

When you buy packaged food, there’s a nutrition label showing ingredients, calories, allergens. Regulations require this because consumers deserve informed decisions.

When you deposit $10K into a DeFi protocol, there’s… a “Connect Wallet” button. No warnings. No disclosure. No transparency about:

  • Whether contracts are upgradeable
  • Who controls the upgrade keys
  • What the upgrade process is
  • When the last upgrade happened

How is this acceptable?

Proposal: Contract Transparency Labels

What if every DeFi protocol displayed a standardized “Contract Info” panel that shows:

:locked: Contract Security Profile

Upgradeability: Yes / No / Partial

  • If Yes: Who controls upgrades?
  • Governance type: EOA / Multisig (X/Y) / DAO / Timelock (X hours)
  • Last upgrade: [Date] | View history

Audit Status: Audited / Not Audited / Partially Audited

  • Auditor(s): [Names]
  • Audit date: [Date]
  • Audit report: [Link]
  • Code changes since audit: Yes / No

Governance Transparency: High / Medium / Low

  • Multisig signers: Public / Private
  • Upgrade process: Documented / Undocumented
  • Community voting: Yes / No

This could be:

  1. A standardized component that protocols embed in their UI
  2. A browser extension that injects this info automatically
  3. An aggregator API that frontends can query

User Impact Metrics We Should Track

From a product perspective, I want to know:

Awareness:

  • What % of users check contract upgrade status before depositing?
  • How many understand what “3/5 multisig” means?
  • Do users know they can monitor governance proposals?

Behavior:

  • Do users exit positions when upgrades are announced?
  • Does timelock duration affect user retention?
  • What upgrade risk level do users tolerate for what yield premium?

Outcomes:

  • What % of users have been affected by malicious upgrades?
  • How much capital has been lost to upgrade-related exploits?
  • Are users pricing upgrade risk into their decisions?

I’d bet less than 1% of users actively consider upgrade risk. Not because they don’t care—because the information isn’t accessible in their workflow.

The Environmental Angle

Here’s something nobody talks about: energy efficiency implications of upgrade governance.

When a protocol gets audited, that costs:

  • Auditor time (human resources)
  • Energy for testing/verification
  • Community review effort
  • Documentation updates

If the contract is immutable post-audit, that energy investment is permanent—the security work protects users forever.

If an admin can upgrade the contract without re-audit? All that security work becomes obsolete. The energy spent verifying safe code was wasted because new code replaced it.

From a sustainability perspective, this is like:

  • Building energy-efficient infrastructure, but leaving a backdoor for anyone to swap in inefficient systems later
  • Growing organic food, then allowing pesticide injection post-harvest

If Web3 claims to care about sustainability (carbon-neutral protocols, green mining, etc.), we should care about governance sustainability too—not wasting community resources on security theater that admin keys can bypass.

Real Solutions Need UX

David’s progressive decentralization phases are great in theory. In practice, users need to SEE the progression:

Phase 1 UI Warning:

:warning: This protocol uses centralized upgrade controls (2/3 multisig). The team can modify contract logic. Progressive decentralization is planned for Q3 2026. [Learn More]

Phase 2 UI Update:

:classical_building: This protocol is partially decentralized. Upgrades require 72-hour timelock + community advisory vote. Full DAO governance planned for Q1 2027. [View Roadmap]

Phase 3 UI Badge:

:white_check_mark: This protocol is DAO-governed. Upgrades require 7-day community vote with 10% quorum. [View Governance]

Phase 4 UI Badge:

:locked: Core contracts are immutable. Only peripheral features can be updated via DAO governance. [View Architecture]

Users won’t read governance docs. But they WILL notice UI badges and warnings.

What Good Looks Like

Some projects are getting this right:

Uniswap: Core pools are immutable. UI clearly separates V2 (immutable) vs V3 (immutable pools, governance-controlled factory).

Compound: Transparent timelock (48 hours). Governance proposals are public. UI shows active proposals. You can exit if you disagree.

Aave: Clear documentation of governance process. Multisig composition is public. Historical upgrades are logged.

But these are the exceptions. Most protocols hide governance details deep in docs that 99% of users never read.

My Ask to Developers

If you’re building a DeFi protocol with upgradeable contracts, please:

  1. Disclose upgrade mechanisms in your UI. Not in docs—in the actual app interface.
  2. Notify users before upgrades. Email, push notifications, in-app banners—make it impossible to miss.
  3. Provide historical upgrade logs. Let users see what changed, when, and why.
  4. Test your governance UX. Can a non-technical user understand who controls upgrades? If not, simplify.
  5. Measure transparency metrics. Track how many users actually understand your governance model.

Bottom Line

Sarah’s right that upgradeability is necessary for bug fixes. Diana’s right that it’s a hidden risk premium. David’s right that governance quality matters more than upgrade capability.

But all of that is meaningless if users don’t know any of it exists.

The OWASP SC10 category is a wake-up call for security researchers. Now we need a wake-up call for product teams: transparency is a feature, not a nice-to-have.

If your protocol can be upgraded, tell your users. Show them who controls the keys. Make governance visible. Give them time to exit if they disagree.

Anything less isn’t building for users—it’s building for plausible deniability when the next $100M upgrade exploit happens.

Build products that create measurable benefit, not just extractable value. :seedling: