Sky Faces Security Concerns Over $756M USDC Custody in Lite PSM

On Dec 6, 2024 at 6:11 pm UTC by · 3 mins read

Security concerns have surfaced regarding Sky’s Lite PSM system, where $756 million in USDC is controlled by an externally owned account, raising questions about potential vulnerabilities and withdrawal risks.

Sky, formerly known as MakerDAO, has found itself in the spotlight following concerns raised about the security of $756 million in USDC $1.00 24h volatility: 0.0% Market cap: $60.26 B Vol. 24h: $9.99 B held within its “Lite PSM” (Peg Stability Module).

X user Will Morris first highlighted the concerns, noting that the Lite PSM design relies on an externally owned account (EOA) to manage the substantial USDC balance. According to Morris, this setup could expose the funds to a potential exploit, also known as a “rug pull.” The key issue here is that the EOA account holder has unrestricted access to withdraw the funds at any time, which could pose a significant risk to the safety of the assets.

Security Flaw in Custody Design

Morris argued that relying on an EOA for custody introduces unnecessary security risks. He pointed out that a more transparent and secure option would be to use smart contracts, which could offer better safeguards.

“I believe the previous design allowed the PSM to custody its own USDC without the involvement of privileged accounts,” Morris explained. He expressed his preference for a model where the PSM would independently control the USDC, removing the need for external access that could compromise funds.

Morris also revealed that he had submitted a bug report to Immunefi, a blockchain platform known for identifying vulnerabilities in smart contracts. However, the report was dismissed on the grounds that issues relating to privileged addresses fall outside the platform’s scope.

“I have submitted a bug report via Immunefi. This report was closed because ‘impacts caused by attacks requiring access to privileged addresses are out of scope,'” Morris wrote on X.

Coinbase’s Sid Ramesh Responds

Adding further depth to the conversation, Sid Ramesh, Coinbase’s Product & Consumer Onchain Lead, weighed in on the discussion. While acknowledging Morris’ concerns, Ramesh clarified that he was not the right person to comment on Coinbase’s involvement in the situation.

He emphasized that Coinbase follows strict audits and processes for its multi-party computation (MPC) technology. However, his statement opened the possibility for further clarification on Coinbase’s role, suggesting that more information could be shared later. Embedded tweet.

In a related development, Rune Christensen, co-founder of Sky, told Cointelegraph that the private keys needed to reconstitute the MPC account were destroyed during the initial setup with Coinbase Custody.

While addressing these security concerns, Sky is also implementing significant changes to its economic structure. Co-founder Christensen has proposed shifting to a deflationary model that would permanently halt new token emissions. Instead, the focus would shift to burning existing tokens, which he believes would increase the protocol’s resilience and better align with the original tokenomics design.

Share:

Related Articles

Crypto Whales Exit as These DeFi Tokens Surge: Will They Continue Rising?

By February 21st, 2025

Amid rising anticipation of a new bull run in DeFi tokens in the next altseason, Maker and Lido DAO are emerging as spearheads. However, some big names and smart whales in the industry are quick to exit. What does this mean for your DeFi portfolio?

Locked Cuban X Account Fuels Solana Memecoin Rug Pull Claims

By January 20th, 2025

Cuban government’s X account has promoted a token that is now rug-pulled, leaving investors in losses.

MKR Price Analysis: MakerDAO Risks $1,500 amid Network Milestones

By December 30th, 2024

Amid the declining market demand for MKR tokens, the growing user base over the MakerDAO network hints at a potential recovery in 2025.

Exit mobile version