Upgradeable smart contracts are like guns: they have their uses, but you need to make sure you trust the one holding them, and pray that they’re never used against you.
Not to mention, there are too many of them safeguarding crypto customer funds. For all the cleverness displayed on the Wormhole hack, it looks like the hackers didn’t keep in mind that a proxy contract could suddenly and unilaterally change the rules from under them.
Put a different way: not your contract upgrade keys, not your stolen crypto.
“Someone” - Jump, more likely than not - obtained over 120K worth of ETH that got stolen from Wormhole over a year ago by temporarily taking over an Oasis upgradeable contract.
Looks like the Wormhole hackers didn’t keep in mind that upgradeable contracts could suddenly and unilaterally change the rules from under them.
Published: 2023-02-27