Security concerns have surfaced regarding Sky’s Lite PSM system, where $756 million in USDC is controlled by an externally owned account, raising questions about potential vulnerabilities and withdrawal risks.
Sky, formerly known as MakerDAO, has found itself in the spotlight following concerns raised about the security of $756 million in USDC $1.00 24h volatility: 0.0% Market cap: $60.90 B Vol. 24h: $2.59 B held within its “Lite PSM” (Peg Stability Module).
X user Will Morris first highlighted the concerns, noting that the Lite PSM design relies on an externally owned account (EOA) to manage the substantial USDC balance. According to Morris, this setup could expose the funds to a potential exploit, also known as a “rug pull.” The key issue here is that the EOA account holder has unrestricted access to withdraw the funds at any time, which could pose a significant risk to the safety of the assets.
Security Flaw in Custody Design
Morris argued that relying on an EOA for custody introduces unnecessary security risks. He pointed out that a more transparent and secure option would be to use smart contracts, which could offer better safeguards.
“I believe the previous design allowed the PSM to custody its own USDC without the involvement of privileged accounts,” Morris explained. He expressed his preference for a model where the PSM would independently control the USDC, removing the need for external access that could compromise funds.
There is only one way an EOA could be secure here: if the USDC approve transaction was signed using Nick's method. It appears that it was not. Even then, it would be better transparency to have a smart contract that can only do the approval.https://t.co/BtdJZ4Fr86
— wjmelements (@willmorriss4) December 6, 2024
Morris also revealed that he had submitted a bug report to Immunefi, a blockchain platform known for identifying vulnerabilities in smart contracts. However, the report was dismissed on the grounds that issues relating to privileged addresses fall outside the platform’s scope.
“I have submitted a bug report via Immunefi. This report was closed because ‘impacts caused by attacks requiring access to privileged addresses are out of scope,'” Morris wrote on X.
Coinbase’s Sid Ramesh Responds
Adding further depth to the conversation, Sid Ramesh, Coinbase’s Product & Consumer Onchain Lead, weighed in on the discussion. While acknowledging Morris’ concerns, Ramesh clarified that he was not the right person to comment on Coinbase’s involvement in the situation.
He emphasized that Coinbase follows strict audits and processes for its multi-party computation (MPC) technology. However, his statement opened the possibility for further clarification on Coinbase’s role, suggesting that more information could be shared later. Embedded tweet.
In a related development, Rune Christensen, co-founder of Sky, told Cointelegraph that the private keys needed to reconstitute the MPC account were destroyed during the initial setup with Coinbase Custody.
While addressing these security concerns, Sky is also implementing significant changes to its economic structure. Co-founder Christensen has proposed shifting to a deflationary model that would permanently halt new token emissions. Instead, the focus would shift to burning existing tokens, which he believes would increase the protocol’s resilience and better align with the original tokenomics design.
next