What Is a Solana Program Upgrade Authority and Why It Creates Risk
A program upgrade authority can change a smart contract's code after you deposit into it. Learn what this means, how to check for it, and when it's acceptable vs. a critical red flag.
The power to change the rules after you've committed
When you deploy a Solana program (smart contract), you have the option to retain an upgrade authority — the ability to deploy new code to the same program address in the future, replacing the old code with new logic. This is a powerful and useful capability during development: developers can fix bugs, add features, and improve their protocols without requiring users to migrate to a new contract address.
It's also a powerful attack vector. An upgrade authority held by a single wallet — or a malicious team — means any code change is possible: code that captures user funds, removes withdrawal capabilities, or changes fee structures without warning. Understanding when upgrade authority is a reasonable feature and when it's a critical risk is essential for evaluating any Solana protocol.
What a program upgrade authority can do
With an active upgrade authority, the holder can deploy new bytecode to the program address. This new code can do anything — including changing the logic that controls access to user funds deposited in accounts owned by the program. In practice, a malicious upgrade could theoretically redirect user withdrawals to the attacker's wallet, disable withdrawals entirely, or change fee parameters to drain deposited capital.
This is not a theoretical concern. Several DeFi protocols have had upgrade authorities exploited or abused — either through direct malice, through key compromise, or through governance attacks that obtained upgrade authority.
How to check upgrade authority on Solana
For any Solana program you interact with:
- Find the program ID (usually listed in the protocol's documentation)
- Search the program ID on Solscan
- Look for the "Upgrade Authority" field in the program details
- If the field shows a wallet address: active upgrade authority exists
- If the field shows null or a system address: upgrade authority has been burned (renounced), making the code immutable
When upgrade authority is acceptable vs. a red flag
Acceptable: Upgrade authority controlled by a 3-of-5 or 4-of-7 multi-sig with public signers, combined with a time lock (24–72 hours between approval and execution) and a transparent governance process. This provides upgrade capability while requiring coordination and creating an observation window.
Red flag: Upgrade authority held by a single wallet with no time lock — especially if that wallet belongs to the team, is unidentified, or has limited verifiable history. Any upgrade can happen instantly and without warning.
Gold standard: Upgrade authority burned (renounced). The code is immutable. What you deposit into is the code that will handle your funds forever. Provides the strongest protection but eliminates the ability to fix bugs.
Hannisol checks program upgrade authority status as part of its automated token and protocol analysis. Check any token at Hannisol.
Ready to apply this to a real token?
Run any Solana mint address through Hannisol's 8-dimension risk engine — free, no signup required.
Analyze a token on Hannisol →
