Introduction
Smart contracts are often described as immutable, code that, once deployed on a blockchain, cannot be changed. This property is central to the trust model of decentralized systems. Yet in practice, a large portion of modern blockchain applications rely on upgradeable proxy contracts, a design pattern that allows developers to modify logic after deployment.
This introduces a tension. Systems that appear immutable to users may, in fact, be controlled and modified by a small group of actors. The phrase “behind the sign protocol” captures this hidden layer, where signatures, governance keys, or administrative privileges determine the true locus of control.
Understanding how upgradeable proxies work, and how they can shift control away from users, is essential for evaluating the security, governance, and trust assumptions of decentralized applications, or dApps.
Historical Background
Early Immutability and Its Limits
Ethereum launched in 2015 with the premise that smart contracts are immutable. However, early incidents quickly revealed the limitations of this model. The DAO hack in 2016 demonstrated that bugs in immutable contracts could lead to irreversible losses, prompting a controversial hard fork.
Developers began searching for ways to preserve flexibility while maintaining blockchain guarantees.
Emergence of Proxy Patterns
Upgradeable smart contracts emerged as a workaround. Instead of storing logic directly in a contract, developers separated two components:
Proxy contract, which holds state and the user facing address
Implementation contract, which contains executable logic
The proxy uses the DELEGATECALL opcode to execute logic from the implementation contract while maintaining its own storage.
This pattern allows developers to swap the implementation contract, effectively upgrading the system without changing the contract address.
Standardization and Frameworks
Several standards formalized proxy usage:
EIP 897, delegate proxy interface
EIP 1822, Universal Upgradeable Proxy Standard
EIP 1967, standardized storage slots for proxy metadata
EIP 1967 became widely adopted because it defines where implementation addresses and admin roles are stored, reducing the risk of storage collisions.
Frameworks such as OpenZeppelin Upgrades made proxies accessible, accelerating adoption across decentralized finance, NFTs, and governance systems.
Scaling Adoption
Empirical studies show rapid growth:
Millions of contracts now use proxy patterns
One study identified over 2 million proxy contracts in Ethereum ecosystems, Zhang et al., 2025
Another found more than 1.3 million upgradeable contracts using standardized patterns, Qasse et al., 2025
What began as a niche workaround has become a dominant architectural pattern.
Current State, Updated Information
Widespread Use in Production Systems
Upgradeable proxies are now standard in:
DeFi protocols, including lending, exchanges, and derivatives
Stablecoins, often upgraded for compliance or risk management
NFT platforms and marketplaces
DAO governance systems
Research confirms that proxy based upgradeability is the predominant method for contract evolution, Wang et al., 2025, Liu et al., 2024.
Governance and Admin Control
Most proxy systems include an admin role with authority to:
Upgrade implementation contracts
Pause or modify functionality
Change governance parameters
In practice, this role is often controlled by a multisignature wallet, a DAO governance contract, or in some cases a single externally owned account.
Research shows that hundreds of proxy systems are still controlled by single accounts, raising centralization concerns, Salehi, 2022.
Security Landscape
Recent research highlights key risks:
Storage collisions during upgrades can corrupt state, Pan et al., 2025
Logic state inconsistencies can introduce vulnerabilities, Li et al., 2026
Delegatecall misuse can expose contracts to unexpected execution paths, Hong et al., 2026
One large scale study identified tens of thousands of upgradeable contracts with potential security risks, Wang et al., 2025.
Tooling and Detection
New tools such as ProxyLens and PROXiFY analyze proxy contracts at scale, detecting vulnerabilities and identifying upgrade patterns, Hong et al., 2026, Qasse et al., 2025.
Critical Analysis
Strengths of Upgradeable Proxies
Flexibility and Maintenance
Upgradeable proxies allow developers to fix bugs, add features, and respond to changing requirements without redeploying contracts.
Operational Continuity
Users interact with a stable address while logic evolves behind the scenes.
Practical Necessity
Given the complexity of modern decentralized applications, fully immutable systems are often impractical.
Limitations and Risks
Hidden Centralization
The most significant issue is governance control. While users interact with a decentralized interface, upgrade authority is often concentrated.
Admin keys can unilaterally change contract behavior. Malicious or compromised admins can redirect funds or alter rules.
This creates a gap between perceived decentralization and actual control.
Trust Assumptions Shift
In immutable contracts, trust is placed in code. In upgradeable systems, trust shifts to developers, governance participants, and key management practices.
This reintroduces human trust dependencies, similar to traditional systems.
Upgrade Risks
Upgrades themselves are a source of vulnerability:
Incorrect storage layouts can break contracts
New logic may introduce bugs
Inconsistent state transitions can lead to exploits
Research highlights logic state inconsistency as a recurring issue, Li et al., 2026.
Transparency Challenges
While upgrades are recorded on chain, they are often difficult for users to detect, poorly communicated, and technically complex to interpret.
This creates an information asymmetry between developers and users.
Attack Surface Expansion
Proxy patterns introduce additional complexity:
Delegatecall execution paths
Upgrade functions
Admin key management
Each adds potential attack vectors, Liu et al., 2024.
Future Outlook
Likely Developments
Stronger Governance Models
Expect broader adoption of time locked upgrades, DAO based voting systems, and multi layer approval mechanisms. These aim to reduce unilateral control.
Formal Verification and Tooling
Advanced tools will increasingly detect upgrade risks before deployment, verify storage compatibility, and simulate upgrade scenarios.
Standardization and Best Practices
Standards such as EIP 1967 will likely evolve with clearer guidelines for secure upgrade procedures, transparent governance, and user notification mechanisms.
More Speculative Possibilities
Hybrid Immutability Models
Systems may adopt partial immutability, where core logic is fixed while peripheral components remain upgradeable.
User Controlled Opt Out Mechanisms
Future designs could allow users to lock themselves into specific contract versions or reject upgrades they do not trust.
Regulatory Influence
As regulators examine decentralized finance, upgradeable contracts may face scrutiny. Admin control could be interpreted as custodial authority, and governance structures may require clearer accountability.
Conclusion
Upgradeable proxy contracts solve a real problem, the need to evolve complex systems in an immutable environment. However, they fundamentally alter the trust model of blockchain applications.
What appears to be decentralized and immutable may depend on a small set of actors with upgrade authority. This shift is not inherently malicious, but it must be understood.
The key takeaway is simple. Immutability in modern smart contracts is often conditional, not absolute.
Users, developers, and regulators must evaluate not just what a contract does today, but who has the power to change it tomorrow.