In February we completed a second round of security audits with Trail of Bits. You can view the full report here (PDF).
This audit focused on our slashing protocol, contract upgrade scheme, and multisig contract. One of Trail of Bits' primary recommendations was to avoid using the proxy pattern for upgrading our smart contracts. In the report and this blog post, they point out several concerns with the proxy pattern and instead recommend migration-based upgrades.
While we recognize the proxy pattern has major downsides, we believe it is the best approach for our specific situation for the reasons outlined in our blog post on the subject.
As explained in that post, the centerpiece of our strategy to mitigate the risks is the way that we verify the layout of our previously-deployed and candidate contracts prior to an upgrade. We deploy candidate contracts to the blockchain and then we perform checks to verify compatibility between the layout of the previously-deployed contract and the candidate contract. While this doesn't make things 100% safe - nothing does - we can check the main slots in the storage layout on-chain, which means that even if we put an incompatible contract in our repo, we won't be able to upgrade to it even by force.