I'm about to relaunch my project and I'm thinking in to deploy an upgradeable contract. But someone told me that it's not safe for holder. is that true? If it's really unsafe, is there a safe way to uses an upgradeable contract? I saw that SafeMoon uses an upgradeable contract and nobody said that it's not good.
If you are using an upgradable proxy and have the admin key, you can replace the contract with one that steals all the tokens/ETH.
Some projects use an admin contract instead, to do governance, and only upgrade after a vote.
Any contract using an upgradable proxy with an admin address != address(0) is 100% centralized around that key holder and of course 100% ruggable
So upgradable proxy with the admin key is not safe!
About this system that uses vote, is it more safe? how can I look up about it? "upgradable prox after vote"?
OpenZeppelin has governance contracts available. An admin contract can be implemented using it.
Who would vote? the DEVS? or the holders?
Let's say we have 10.000 holders but just the 1000 is active... others left some small quantity.
How the votes will be considered?
It depends on which guarantees you want to express in your contract. Voting on a new contract means that the people voting are aware of changes to the logic. This is probably the token holders in your case.
Maybe it's easy to create a governance-only token and issue it to token holders depending on activity and possibly finding a way to reward the participation in the voting process