{"id":19283,"date":"2024-12-06T18:12:18","date_gmt":"2024-12-06T16:12:18","guid":{"rendered":"https:\/\/forklog.com\/en\/expert-highlights-potential-756-million-vulnerability-in-sky\/"},"modified":"2024-12-06T18:12:18","modified_gmt":"2024-12-06T16:12:18","slug":"expert-highlights-potential-756-million-vulnerability-in-sky","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/expert-highlights-potential-756-million-vulnerability-in-sky\/","title":{"rendered":"Expert Highlights Potential $756 Million Vulnerability in Sky"},"content":{"rendered":"<p>William Morriss, founder of VM Capital, criticized Sky (<a href=\"https:\/\/forklog.com\/en\/news\/makerdao-rebrands-as-sky-introduces-new-tokens\">formerly MakerDAO<\/a>) for utilizing an <span data-descr=\"externally owned account\" class=\"old_tooltip\">EOA<\/span> to store $756 million in USDC reserves within the LitePSM mechanism.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/SkyEcosystem?ref_src=twsrc%5Etfw\">@SkyEcosystem<\/a> (formerly MakerDAO) is letting an EOA custody 756M USDC for their &#8220;Lite PSM&#8221;. As far as I can tell, that account can rug the full balance any time.<\/p>\n<p>\u2014 wjmelements (@willmorriss4) <a href=\"https:\/\/twitter.com\/willmorriss4\/status\/1864877973553230040?ref_src=twsrc%5Etfw\">December 6, 2024<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>This iteration of the DAI stablecoin&#8217;s stability module was implemented by developers in July.<\/p>\n<p>Morriss, who previously worked as an engineer at TrustToken and MetaMask, considers the decision to rely on an external account unsafe. Standard Ethereum wallets in the EOA format are managed using a private key, which is susceptible to compromise and other malicious activities.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;As far as I can tell, that account can have its entire balance stolen at any moment,&#8221; the programmer believes.<\/p>\n<\/blockquote>\n<p>The project team is gradually migrating assets to LitePSM, initially transferring 20 million USDC.<\/p>\n<p>Sky co-founder Rune Christensen told <a href=\"https:\/\/cointelegraph.com\/news\/sky-lite-psm-eoa-security-usdc-reserves\">Cointelegraph<\/a> that &#8220;the private keys necessary to restore the <span data-descr=\"multi-party computation\" class=\"old_tooltip\">MPC<\/span> account were destroyed during the setup process with Coinbase Custody.&#8221;<\/p>\n<p>The publication noted that this partially mitigates the risk of account compromise but does not address who controls the wallet and authorizes transactions.<\/p>\n<p>Back in August, a Sky user lost <a href=\"https:\/\/forklog.com\/en\/news\/makerdao-user-loses-55-million-in-phishing-attack\">$55.47 million in DAI<\/a> on a DeFi platform due to a phishing attack.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>William Morriss, founder of VM Capital, criticized Sky (formerly MakerDAO) for utilizing an EOA to store $756 million in USDC reserves within the LitePSM mechanism. @SkyEcosystem (formerly MakerDAO) is letting an EOA custody 756M USDC for their &#8220;Lite PSM&#8221;. As far as I can tell, that account can rug the full balance any time. \u2014 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":19282,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1100],"class_list":["post-19283","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-makerdao"],"aioseo_notices":[],"amp_enabled":true,"views":"41","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/19283","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=19283"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/19283\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/19282"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=19283"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=19283"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=19283"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}