Security Risks Emerge Over $756M USDC in Lite PSM Custody

Sky, formerly MakerDAO, is facing concerns over the safety of $756 million in USDC held in the Lite PSM. Will Morris, a key figure in the community, raised alarms about potential security flaws, warning that the funds could be vulnerable to theft.

Security Flaw in Lite PSM Custody

The Lite PSM uses an externally owned account (EOA) to manage the large USDC balance. This setup gives the account holder unrestricted access to withdraw funds at any time. 

Morris warned that this could lead to a “rug pull,” where the funds are taken without notice. He suggested that a more secure option would be to use smart contracts for custody, offering better protection and eliminating privileged access. 

Morris submitted a bug report to Immunefi, a platform known for identifying vulnerabilities. However, the report was dismissed because Immunefi doesn’t cover issues involving privileged addresses. This left the concern unresolved.

Sky’s Response to the Issue

Sid Ramesh from Coinbase acknowledged the concerns but clarified that he couldn’t speak on Coinbase’s direct involvement. He emphasized Coinbase’s rigorous audits and security practices. His response left many wondering if Coinbase had any role in the matter.

Rune Christensen, co-founder of Sky, revealed that the private keys needed to reconstitute the MPC account were destroyed during initial setup with Coinbase Custody. This added more uncertainty to the situation.

To address the security risks, Christensen has proposed a deflationary model for Sky’s tokenomics. This would stop new token emissions and focus on burning existing tokens. Christensen believes this will strengthen the protocol’s resilience.