Chimamanda is a crypto enthusiast and experienced writer focusing on the dynamic world of cryptocurrencies. She joined the industry in 2019 and has since developed an interest in the emerging economy. She combines her passion for blockchain technology with her love for travel and food, bringing a fresh and engaging perspective to her work.
Key Notes
- Security expert Will Morris identified that Sky's Lite PSM relies on an externally owned account (EOA) with unrestricted access to withdraw $756M in USDC, presenting significant security risks.
- Coinbase's Sid Ramesh acknowledged the concerns while emphasizing their strict MPC technology audits, though declined to comment specifically on Coinbase's involvement.
- Sky co-founder Rune Christensen confirmed that private keys for the MPC account were destroyed during initial setup with Coinbase Custody, while simultaneously proposing a shift to a deflationary token model.
Sky, formerly known as MakerDAO, has found itself in the spotlight following concerns raised about the security of $756 million in USDC $1.00 24h volatility: 0.0% Market cap: $52.18 B Vol. 24h: $3.82 B held within its “Lite PSM” (Peg Stability Module).
X user Will Morris first highlighted the concerns, noting that the Lite PSM design relies on an externally owned account (EOA) to manage the substantial USDC balance. According to Morris, this setup could expose the funds to a potential exploit, also known as a “rug pull.” The key issue here is that the EOA account holder has unrestricted access to withdraw the funds at any time, which could pose a significant risk to the safety of the assets.
Security Flaw in Custody Design
Morris argued that relying on an EOA for custody introduces unnecessary security risks. He pointed out that a more transparent and secure option would be to use smart contracts, which could offer better safeguards.
“I believe the previous design allowed the PSM to custody its own USDC without the involvement of privileged accounts,” Morris explained. He expressed his preference for a model where the PSM would independently control the USDC, removing the need for external access that could compromise funds.
There is only one way an EOA could be secure here: if the USDC approve transaction was signed using Nick's method. It appears that it was not. Even then, it would be better transparency to have a smart contract that can only do the approval.https://t.co/BtdJZ4Fr86
— wjmelements (@willmorriss4) December 6, 2024
Morris also revealed that he had submitted a bug report to Immunefi, a blockchain platform known for identifying vulnerabilities in smart contracts. However, the report was dismissed on the grounds that issues relating to privileged addresses fall outside the platform’s scope.
“I have submitted a bug report via Immunefi. This report was closed because ‘impacts caused by attacks requiring access to privileged addresses are out of scope,'” Morris wrote on X.
Coinbase’s Sid Ramesh Responds
Adding further depth to the conversation, Sid Ramesh, Coinbase’s Product & Consumer Onchain Lead, weighed in on the discussion. While acknowledging Morris’ concerns, Ramesh clarified that he was not the right person to comment on Coinbase’s involvement in the situation.
He emphasized that Coinbase follows strict audits and processes for its multi-party computation (MPC) technology. However, his statement opened the possibility for further clarification on Coinbase’s role, suggesting that more information could be shared later. Embedded tweet.
In a related development, Rune Christensen, co-founder of Sky, told Cointelegraph that the private keys needed to reconstitute the MPC account were destroyed during the initial setup with Coinbase Custody.
While addressing these security concerns, Sky is also implementing significant changes to its economic structure. Co-founder Christensen has proposed shifting to a deflationary model that would permanently halt new token emissions. Instead, the focus would shift to burning existing tokens, which he believes would increase the protocol’s resilience and better align with the original tokenomics design.
Disclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.