Compound's protocol is upgradeable via a single admin key with a 2-day timelock. Compound claims to use an "offline multi-party process" for key security.
Update: Feb 26, 2020 Compound has announced the development of a token-based governance system which would aim to eliminate the need for the admin key described here. Transition date is still TBD.
Yes ⚠️
Timelock: 2 days Multisig: None
"Offline multi-party process"
Unverifiable ⚠️
https://etherscan.io/address/0x6d903f6003cca6255d85cca4d3b5e5146dc33925
Open Zeppelin Audit Summary Compound Blog Post on Governance Compound Timelock Interface ✅