# Upgradability & Opt-in Proxy
Lagoon vaults use a [Transparent Upgradable Proxy](https://rareskills.io/post/transparent-upgradeable-proxy). This allows the vault admin to upgrade the vault logic when needed.
Lagoon uses extended versions of the [OpenZeppelin Transparent Upgradeable Proxy](https://docs.openzeppelin.com/contracts/5.x/api/proxy#TransparentUpgradeableProxy) and [ProxyAdmin](https://docs.openzeppelin.com/contracts/5.x/api/proxy#ProxyAdmin), adding two features: an Opt-in system and a Delay mechanism.
## Opt-in system
The owner of [ProxyAdmin](https://docs.openzeppelin.com/contracts/5.x/api/proxy#ProxyAdmin) can upgrade its vault to any implementation that has been reviewed and whitelisted by Lagoon. He can also roll back to a previous version at any time.
## Delay mechanism
Every upgrade is subject to a mandatory waiting period before it takes effect. This gives investors time to evaluate the incoming change and exit the vault if needed.
The delay window is **configurable by the vault admin**, within the protocol bounds of 24 hours (minimum) to 30 days (maximum). Changing the delay itself is also subject to the same delay mechanism.
## Design
### Opt-in Proxy
The Opt-in Proxy is what you will usually consider as the vault. This contract is a TransparentUpgradbleProxy by OpenZeppelin with two differences. First it doesn't deploy a ProxyAdmin but DelayProxyAdmin. Second, before each implementation update, it will asked the authorization to the ProtocolRegistry, by calling `canUseLogic(address oldLogic, address newLogic).`
### ProtocolRegistry
A protocol level smart-contract that contains a whitelist of authorized implementations.
| Function | Description |
| ------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
| `canUseLogic(address oldLogic, address newLogic) returns (boolean)` | This function checks if newLogic is an authorized Lagoon vault version, in this case, it returns true. |
### DelayProxyAdmin
A Proxy Admin is a smart-contract deployed by an Opt-inProxy at its creation. This contract is the only address that can upgrade the Opt-inProxy.
The DelayProxyAdmin has an editable owner that is the only one capable of doing the following calls:
| Function | Description |
| --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| `submitImplementation(address _implementation) onlyOwner` | Submit an address in the DelayProxyAdmin contract. When the delay is passed, the owner can upgrade the contract to this address. |
|
upgradeAndCall( address proxy, address, bytes memory data ) onlyOwner
| Upgrade the target proxy using the implementation previously stored via submitImplementation. |
|
submitDelay( uint256 \_delay ) onlyOwner
| Submit a new delay. When the current delay is passed, the new delay can be applied. |
| `function updateDelay() onlyOwner` | Update the value of the delay to be the one previously submitted via submitDelay. |
| `renounceOwnership() onlyOwner` | Renounce the ownership of the DelayAdminProxy making it unusable. |
| `function transferOwnership(address newOwner)` | Transfer the ownership and thus the vault upgradability management to another address. |
### Q\&A
Can I make my vault immutable ?
Yes, a vault can become immutable if the owner of DelayProxyAdmin gives up his ownership.
Can I rollback a vault upgrade ?
Any form of downgrades are authorized for now. Note that a downgrade won't reinitialize the state of your vault, which means that if you downgrade to the previous version, you will get back the previous state.
How can I be informed of new vault versions releases ?
Stay updated on Lagoon developments [here](https://t.me/+mvB7YsN80P5jNTVk).
Are the vault owner (admin) and the DelayProxyAdmin owner the same ?
No, those are two different variables present in two different contracts.\
The vault owner, that we usually call the admin if defined [here](https://docs.lagoon.finance/vault/roles-and-capacities/vault-admin). His scope is exclusively over the vault roles and operations. On the other hand, the owner of the DelayProxyAdmin can only do operations related to the upgradability of the proxy.\
They can have the same value but changing one won't change the other.
