Great question — this is one of those core DeFi design trade-offs that doesn’t have a one-size-fits-all answer.

I’ve worked on a couple projects that used UUPS proxies, mainly because of their gas efficiency and smaller bytecode footprint. But yeah, you’re spot on — the flexibility comes with added risk, especially around the upgrade function and delegatecall handling. A single bad upgrade (or compromised admin) can tank everything.

Here’s what we’ve learned from experience:

🔐 Multi-Sig Admin: Absolute must. We usually go with a 3-of-5 or 4-of-7 Gnosis Safe setup for upgrade functions, depending on team size. Add diverse keyholders (not just devs) and include a recovery mechanism if one signer loses access.

⏱ Timelocks: Super important for transparency and user trust. We use a 48–72 hour timelock on all critical upgrades — enough time for the community and security folks to spot anything suspicious.

🛡 Upgradeable + Immutable Combo: One pattern we’ve seen work well is using immutable contracts for core logic or funds custody, and wrapping upgradeable logic around the periphery — e.g., strategy modules, fee logic, etc. This lets you adapt while keeping the “money layer” locked down.

🧠 Audit-Ready Upgrade Plans: When planning an upgrade, we treat it like a new deployment: full internal review, ideally external audit (even if light), and open-source the proposed code ahead of time. You’d be surprised how often the community spots something even auditors miss.

🧱 Governance Layers: Some protocols push upgrade powers to token governance, but that opens up new risks (governance capture, low voter participation). Works best when paired with clear quorum + delay rules and maybe a security council override.

All that said, if your protocol is simple, sometimes immutability is underrated — less to worry about, and users trust you more when there’s nothing to “rug.”

Would love to hear others’ experiences too. These trade-offs are where protocol design really gets interesting.