> For the complete documentation index, see [llms.txt](https://docs.bextree.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bextree.com/security/upgrade-authority.md).

# Upgrade Authority

The upgrade authority of a Solana program can replace its code entirely — it is the single most powerful key in any program's security model, and it deserves the most scrutiny.

## Current state (verifiable on-chain)

All three Bextree programs share one upgrade authority:

[`8n5xWEtc6p6xcphGLFFM3RAeXE5WQhXJg3aAPxk3bzDT`](https://solscan.io/account/8n5xWEtc6p6xcphGLFFM3RAeXE5WQhXJg3aAPxk3bzDT)

This is a **Squads multisig vault** — no single person can sign an upgrade. You can verify the authority yourself on Solscan: open any [program ID](/security/program-ids.md) and check its upgrade authority field.

## Policy

* **No single-key upgrades.** Program upgrades require multi-party approval through the Squads vault, with member keys held on separate hardware wallets.
* **Program deploy keypairs are cold** — they sign only at deploy/upgrade time and live in offline storage otherwise.
* **Immutability is the end state.** Upgradeability is retained through beta and early mainnet because young programs need the ability to fix bugs. Once the programs have an audit and operational history behind them, the intended end state is to burn the upgrade authority and make them immutable.

## What this protects against

* A single compromised laptop or key cannot ship malicious program code.
* An insider cannot unilaterally modify escrow logic.
