Smart contract code can't be modified after being deployed to the blockchain. In order to facilitate potential upgrades, bug fixes or security updates, Term Finance smart contracts adopt OpenZeppelin's implementation of the UUPS Proxy Pattern to facilitate necessary updates, with the intent to gradually remove upgradeability altogether over time.

Consistent with OpenZeppelin's recommendation for smart contracts that adopt the UUPS proxy pattern, the _authorizeUpgrade function is overridden to restrict access to an address set to the DEVOPS_ROLE. The Protocol assigns the DEVOPS_ROLE to an "ownerless" Gnosis Safe with a 24-hour timelock restriction and invalidator controls to override unintentional or malicious upgrades. More details on the architecture is detailed below.

DEVOPS_ROLE Contract Architecture

The DEVOPS_ROLE is reserved for the most sensitive Protocol admin actions (including upgrades) and is assigned to the DevOps "Ownerless" Safe. Transactions through the DevOps "Ownerless" Safe can only be executed via the Zodiac Delay Modifier. Specifically, the DevOps-Proposer Gnosis Safe (5/9) may initiate actions via the Zodiac Delay Modifier that imposes a 24-hour time-lock with a 24-hour expiration period. The DevOps-Proposer Gnosis Safe (5/9) is also able to invalidate any malicious or unintended transactions pending in queue during the 24-hour time-lock period.