Monitoring Queued Upgrades¶
Queued upgrades are the main detection window between governance intent and code execution.
Monitor Inputs¶
| Input | Required check |
|---|---|
UpgradeProposed | Decode full payload and reproduce operation id. |
UpgradeQueued | Record queuedAt, readyAt, and monitoring owner. |
| Implementation address | Verify code hash and metadata still match the release package. |
| Target address | Verify target remains registered under expected kind. |
| Proxy/beacon state | Read live implementation before execute. |
| Role events | Detect unexpected grants, revokes, role-admin transfer, or guardian loss. |
| Registrar events | Detect target or genesis approval changes during the queue. |
Review Cadence¶
- Immediate automated alert at proposal and queue.
- Human review at queue creation.
- Secondary review 24 hours before
readyAt. - Final go/no-go immediately before execution.
Abort Conditions¶
Cancel the operation if:
- implementation bytecode differs from reviewed artifact;
- metadata values differ from release plan;
- calldata selector or arguments differ from runbook;
- target kind or registration is unexpected;
- a relevant role was changed during the window without approval;
- vulnerability intelligence appears during the delay;
- deposit or claim windows cannot be safely paused around execution.
Evidence Archive¶
Archive operation id, event logs, decoded calldata, target and implementation reads, code hashes, policy assertion outputs, signer approvals, monitoring timeline, cancellation decision if any, and post-execution assertions.