# Contract upgrades, admin keys, hacks & exploits

* TaaE tokens have fixed scope and duration. 
* Every phase change, from bootstrap, distribution and redemption is one-way with predictable timing. 
* The final state of the system is that hodlers receive rewards and slowly drop out to the underlying asset as a one-way move, or hold a frozen asset indefinitely if they choose to. 
* Every new token event requires a new Trust with its own lifecycle. 
* If a vulnerability is found in a version of the Trust the theoretical maximum damage of an exploit is capped at the current locked reserve across the pool and token across vulnerableTrust contracts. 
* By versioning and newly deploying Trust contracts, any fix to a discovered exploit will be available for all new Trust contracts after that point. There are no admin keys as the Trust performs all administrative tasks on the child contracts.