makerdao.com
Summary
Sky Protocol (formerly MakerDAO) is a battle-tested CDP stablecoin system with roughly $5.8B in Ethereum collateral and ~$12.3B in combined DAI/USDS supply across seven chains. It has operated for nine years without a confirmed direct smart-contract hack, backed by a $10M Immunefi bounty and extensive audits, but the 2024 Endgame rebrand added cross-chain bridges, Allocator credit lines, and modular agent upgrades that expand the attack surface. Primary concerns are stablecoin backing opacity (~57% of supply minted via governance credit lines rather than hard-locked vaults), nine unverified core contracts, single-path Chronicle oracles, and SKY-weighted governance without an institutional multisig. Overall risk is moderate at 4.8/10.
Trust Assumptions
Users trust that Chronicle oracle feeds and 1-hour OSM delays will remain accurate under market stress, that Allocator credit lines to Spark, Bloom, and OBEX will not produce unrecoverable bad debt, and that SKY holders voting through the Chief contract will act in the protocol's interest during the 48-hour timelock window before executive spells execute. Bridged USDS holders additionally trust SkyLink OP Stack escrows and LayerZero peer configuration on Solana, all controlled by the same governance-controlled Pause Proxy rather than any single-key admin.
What Could Go Wrong
A Chronicle oracle failure or manipulation during extreme volatility could trigger mass liquidations or leave positions undercollateralized, echoing the $8.3M Black Thursday losses in 2020. A compromised or rushed governance spell could upgrade the UUPS USDS proxy, reconfigure LayerZero bridge peers, or expand Allocator debt ceilings—minting unbacked stablecoins before the community can react within the 48-hour delay. Allocator-heavy backing (~$7.4B via credit lines) has not been stress-tested at current scale; a Spark or sub-protocol default could force MKR/SKY debt auctions and destabilize the peg.
Recommendation
Sky Protocol is suitable for considered capital allocation given its operational history, timelocked governance, and deep audit program, but investors should treat headline stablecoin supply as distinct from immediately liquidatable CDP collateral. Monitor Allocator debt utilization, Chronicle oracle migrations, and any executive spells touching USDS upgrades or bridge configuration. Reduce exposure if unverified contracts remain unaudited, SKY voting concentration increases beyond current ~30% in Chief, or bridged USDS supply grows faster than verified escrow backing on L2s and Solana.
Key Findings (30)
Analysis Sections
Sky Protocol uses SKY-weighted executive spell voting via Chief (0x929d9a) with a 48-hour DSPause timelock before MCD_PAUSE_PROXY (0xbe8e3e) executes upgrades. On-chain: pause owner is zero, authority is Chief; current hat is spell 0x0ae3371e…; gov token is SKY. No multisig—token holders control all upgrades. Endgame StarGuard/SubProxy adds 7-day-delayed subDAO paths also warded by the pause proxy. L2 SkyLink governance relays (Base/Arb/Opt) are pause-proxy-controlled on L1; LayerZero OFT owner is pause proxy. Several bridge/agent contracts remain unverified, expanding governance surface.
Findings (8)
OpenZeppelin disclosed a critical DSChief flaw in May 2019 that could have permanently locked ~$100M MKR in the voting contract. Patched before exploitation. Demonstrates governance contracts are high-value targets; current Chief is a rewritten Solidity 0.8.21 implementation but remains the sole authority gate for DSPause.
All core protocol changes flow through DSPause (MCD_PAUSE 0xbe2864) with a verified 172800-second (48h) delay between plot and exec. Admin parameter changes (setDelay, setOwner, setAuthority) require the wait modifier—only callable from DSPauseProxy after a delayed plan, preventing instant config changes. DSPause owner is 0x0; authority is Chief, so only the active hat spell can plot plans.
Protocol has no Gnosis Safe or institutional multisig governing core contracts. MCD_PAUSE_PROXY holds ward on Vat, SKY, L2 governance relays, StarGuards, SubProxies, escrows, and LayerZero OFT. Executive control depends on SKY voting concentration; a coalition holding plurality can pass spells and lift new hats within a 10-block cooldown after approvals threshold is met.
Spark and Grove agents use StarGuard (maxDelay=604800s / 7 days) + SubProxy delegatecall execution, separate from the main DSPause spell path. StarGuards and SubProxies are warded by MCD_PAUSE_PROXY; StarGuardJob (keeper-automated exec) is also pause-proxy-warded. This modularizes subDAO upgrades but increases governance/upgrade surface and operational complexity.
SkyLink L2 configuration is governed from Ethereum: L1GovernanceRelay contracts on Base, Arbitrum, and Optimism all have wards[MCD_PAUSE_PROXY]=1, relaying messages to L2 governance relays via OP Stack cross-domain messenger. L1 escrows (Base/Arb/Opt/Unichain) are also pause-proxy-warded. This centralizes cross-chain admin under the same 48h timelock path but creates dependency on L1 governance latency and relay correctness.
Several governance-adjacent contracts lack verified source: MCD_SPBEAM (0x36b072), Grove StarGuard (0xfc51ca), Optimism L1 Gov Relay (0x09b354), Arbitrum Escrow (0xa10c7c), and multiple proxy implementations. Unverified contracts cannot be fully audited and may conceal divergent admin logic from the verified pause-proxy model.
Protocol has years of on-chain executive votes, public spell review on GitHub (sky-ecosystem/executive-votes), $10M Immunefi bounty, and multiple third-party audits including Endgame toolkit. Maker Foundation dissolved 2021; no residual foundation admin keys identified on core pause system.
Governance follows MakerDAO's Chief model: SKY holders lock tokens, vote on executive spell slates, and lift() promotes a spell to hat when it exceeds current approvals. Only the hat address can authorize DSPause plot/exec. Chief is live (live=1), uses SKY (0x56072c95…) as gov token (MKR successor), maxYays=5, launchThreshold=2.4B SKY, liftCooldown=10 blocks.