It is tempting to build administrative controls such as upgrade or update mechanisms into smart contracts to allow for greater flexibility. If there are valid reasons to have them is a heated topic and actively discussed in the community. Our own perspective is that administrative accounts in smart contracts are a security anti-pattern and one of the design goals of the root chain contracts is to reduce administrative abilities as much as possible. So where do we draw the line and what are the guiding principles around administrative controls? User funds on the plasma chain need to be as secure as if they were on the root chain and even if the operator is compromised users can still exit their funds within the defined exit period. This property must always hold under all circumstances and any administrative controls in the root chain contracts must not violate this characteristic of Plasma.