Sky — USDS & sUSDS

Contract Addresses

All addresses retrieved from the live Sky Chainlog and verified onchain. Snapshot block: 25137266 (May 20, 2026).

Tokens & Conversion Layer

Contract	Address	Type / Role
USDS (proxy)	0xdC035D45d973E3EC169d2276DDab16f1e407384F	UUPS/EIP-1967 proxy. Deployed 2024-09-02
USDS implementation	0x1923DfeE706A8E78157416C29cBCCFDe7cdF4102	Current implementation (USDS_IMP)
sUSDS (proxy)	0xa3931d71877C0E7a3148CB7Eb4463524FEc27fbD	UUPS/EIP-1967 proxy, ERC-4626. Deployed 2024-09-04
sUSDS implementation	0x4e7991e5C547ce825BdEb665EE14a3274f9F61e0	Current implementation (SUSDS_IMP)
DAI	0x6B175474E89094C44Da98b954EedeAC495271d0F	Sister stablecoin, 1:1 with USDS via converter
USDC	0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48	Circle USDC, gem for the LitePSM Wrapper
DAI-USDS Converter	0x3225737a9Bbb6473CB4a45b7244ACa2BeFdB276A	DAI_USDS. Atomic, fee-free 1:1 conversion
USDS Join	0x3C0f895007CA717Aa01c8693e59DF1e8C3777FEB	Mints/burns USDS against VAT internal balances. wards[MCD_PAUSE_PROXY] == 1; wards[USDS] == 1
USDS LayerZero OFT	0x1e1D42781FC170EF9da004Fb735f56F0276d01B8	Cross-chain transport; owner = PauseProxy
sUSDS LayerZero OFT	0x85A3FE4DA2a6cB98A5bdF62458B0dB8471B9f0f1	Cross-chain transport for sUSDS

USDS-USDC PSM Stack

Contract	Address	Role
USDS LitePSM Wrapper	0xA188EEC8F81263234dA3622A406892F3D630f98c	WRAPPER_USDS_LITE_PSM_USDC_A. User-facing USDC↔USDS swap (buyGem / sellGem). Atomic. Deployed 2024-09-03
Underlying LitePSM (DAI-USDC)	0xf6e72Db5454dd049d0788e411b06CfAF16853042	MCD_LITE_PSM_USDC_A. Holds the swap logic. tin = 0, tout = 0, buf = 400,000,000 DAI
USDC Pocket	0x37305B1cD40574E4C5Ce33f8e8306Be057fD7341	MCD_LITE_PSM_USDC_A_POCKET. Custodies the USDC reserves (~3.80B USDC at snapshot)
LitePSM Jar	0x69cA348Bd928A158ADe7aa193C133f315803b06e	MCD_LITE_PSM_USDC_A_JAR. Receives swap fees (currently zero)
LitePSM Mom (emergency halt)	0x467b32b0407Ad764f56304420Cddaa563bDab425	LITE_PSM_MOM. Authority = Chief, owner = PauseProxy. Lets the elected Chief hat instantly halt PSM swaps without the 48 h GSM delay
Emergency Halt Spell Factory	0xB261b73698F6dBC03cB1E998A3176bdD81C3514A	EMSP_LITE_PSM_HALT_FAB
CRON LitePSM Job	0x0C86162ba3E507592fC8282b07cF18c7F902C401	Keeper job that periodically tops up / fills the PSM buffer

Sky / MakerDAO Core (governs USDS, sUSDS, PSM)

Contract	Address	Role
MCD VAT (core ledger)	0x35D1b3F3D7966A1DFe207aa4514C12a259A0492B	The accounting nucleus of the Sky/Maker system. debt() ≈ 13.16B (rad-normalized)
MCD Vow (surplus / sin buffer)	0xA950524441892A31ebddF91d3cEEFa04Bf454466	Stability fee accumulator; receives the SSR drip differential
MCD Pot (DSR)	0x197E90f9FAD81970bA7976f33CbD77088E5D7cf7	DAI Savings Rate pot — predates sUSDS, parallel rate accumulator
MCD Pause	0xbE286431454714F511008713973d3B053A2d38f3	DSPause with delay() = 172800 seconds (48 hours GSM delay). owner = address(0); only spells elected by Chief can schedule
MCD PauseProxy	0xBE8E3e3618f7474F8cB1d074A26afFef007E98FB	The address governance executes as. Holds wards[USDS]==1, wards[sUSDS]==1, and is the upgrade authority for both proxies
MCD Chief (governance vote)	0x929d9A1435662357F54AdcF64DcEE4d6b867a6f9	DSChief. Continuous-approval voting over SKY token. Current hat() = 0xA0059DaDd7Fbdbc81a9bb9d1d17cCB029b6AF596 (active spell)
MCD Spot (price feed router)	0x65C79fcB50Ca1594B025960e539eD7A9a6D434A3	Price oracles for VAT collateral types
SKY governance token	0x56072C95FAA701256059aa122697B133aDEd9279	MCD_GOV. Total supply ~23.46B SKY
SPK token	0xc20059e0317DE91738d13af027DfC4a50781b066	Spark/Sky governance subsystem token (USDS Staking Rewards)
USDS Staking Rewards	0x173e314C7635B45322cd8Cb14f44b312e079F3af	REWARDS_USDS_SPK. Out-of-scope for this report but referenced by yvUSDS-1

Ward / Auth Verification (onchain, snapshot block 25137266)

USDS.wards(MCD_PAUSE_PROXY) = 1        # governance can upgrade & administer
USDS.wards(USDS_JOIN)       = 1        # join can mint/burn USDS
USDS.wards(DAI_USDS)        = 0        # converter goes via USDS_JOIN, not direct ward
sUSDS.wards(MCD_PAUSE_PROXY) = 1       # governance can upgrade & administer
DAI_USDS.dai()  = 0x6B17…71d0F (DAI)
DAI_USDS.usds() = 0xdC03…84F  (USDS)
LITE_PSM_USDC_A.tin()  = 0              # zero swap-in  fee  (USDC -> DAI/USDS)
LITE_PSM_USDC_A.tout() = 0              # zero swap-out fee  (DAI/USDS -> USDC)
LITE_PSM_USDC_A.buf()  = 4.0e26 wei DAI # 400M DAI swap buffer
LITE_PSM_MOM.authority() = MCD_ADM (Chief)
LITE_PSM_MOM.owner()     = MCD_PAUSE_PROXY
MCD_PAUSE.delay()        = 172800       # 48 hours
sUSDS.usdsJoin() = USDS_JOIN
sUSDS.vat()      = MCD_VAT
sUSDS.vow()      = MCD_VOW
sUSDS.usds()     = USDS
sUSDS.asset()    = USDS
sUSDS.ssr()      = 1.000000001136785036595443334  (~3.65% APY)
sUSDS.chi()      = 1.097104280889453199707072239  (price per share)

Audits and Due Diligence Disclosures

Sky/MakerDAO is one of the most extensively audited DeFi protocols. Coverage for the in-scope contracts:

USDS Token

Auditor	Date	Scope	Report
ChainSecurity	Sep 4, 2024	USDS core (Endgame launch)	PDF
Cantina	Jul 3, 2024	USDS review	PDF
Cantina	Nov 24, 2023	NST (USDS predecessor)	PDF

sUSDS

Auditor	Date	Scope	Report
ChainSecurity	Sep 30, 2024	Savings USDS contract	PDF
Cantina	Sep 26, 2024	sUSDS review	PDF

LitePSM & Wrapper

Auditor	Date	Scope	Report
ChainSecurity	(Lite PSM)	Lite PSM audit	PDF
Cantina	(Lite PSM)	Lite PSM review	PDF

Endgame Stack (SKY token, LockStake, VoteDelegate, Flappers, Toolkit)

Auditor	Date	Scope
ChainSecurity	Sep 2024	Multiple Endgame contracts
Cantina	2024	Endgame Toolkit, Vote Delegate, Flappers
Sherlock public contest	Aug 5, 2024	MakerDAO Endgame → report

Legacy MCD (still in use — VAT, Vow, Pot, Pause, Chief)

Auditor	Coverage
Trail of Bits	MCD core
PeckShield	MCD core
Quantstamp	Liquidations 2.0
ChainSecurity	Multiple modules over the years
ABDK	Vote Delegate

Architecture complexity: USDS itself is a thin ERC-20 with permit + ERC-1271 (UUPS upgradeable). sUSDS is a thin ERC-4626 with a chi/ssr accumulator. The USDS-USDC swap path however involves a non-trivial chain: USDS ↔ DAI converter ↔ DAI Lite-PSM ↔ USDC Pocket. While each module is small, the chained dependency means a fault in any one of the four contracts halts USDS-USDC swaps. The wrapper itself is 2,972 bytes of bytecode — essentially a routing shim.

Bug Bounty

• Sky on Immunefi (immunefi.com/bug-bounty/sky) — live since Feb 10, 2022, last updated Feb 26, 2026
• Maximum payout: $10,000,000 for critical smart-contract vulnerabilities. Minimum critical: $150K. Reward = 10% of funds at risk, capped at $10M
• 216 assets in scope, including USDS, sUSDS, LitePSM, DAI-USDS Converter, Chief, Pause, VAT
• Proof-of-concept required for all severities. Payouts in DAI or USDS at $1:1

Safe Harbor (SEAL)

• Sky is not listed on the SEAL Safe Harbor registry at the time of writing.

Historical Track Record

• USDS contract deployed: September 2, 2024 (tx 0xdf7d4ba4…b21c) — ~20.6 months in production
• sUSDS deployed: September 4, 2024 (tx 0xe1be00c4…2c00)
• LitePSM Wrapper deployed: September 3, 2024 (tx 0x43ddae74…8585)
• Underlying MakerDAO system: live since December 2017 (Multi-Collateral DAI) — ~8.5 years. Single-Collateral DAI launched November 2017.
• TVL growth (USDS, DefiLlama stablecoin id 209): $98.5M on launch day → ~$8.84B today (cross-chain); ~$8.07B on Ethereum mainnet alone
• Sky Lending TVL (DefiLlama): ~$5.62B (Ethereum-only)
• sUSDS adoption: ~5.82B USDS locked in sUSDS — about 72% of mainnet USDS supply is staked in the savings vault, indicating very heavy "yield seeker" capture
• Peg history (USDS, past 365 days via CoinGecko):
  • Min: 0.9953 (October 11, 2025) — likely market-wide stablecoin stress, USDS only ~0.5% off peg
  • Max: 1.0008 (April 29, 2026)
  • Latest: 0.9997 (within peg)
• Past security incidents (relevant to USDS path):
  • Black Thursday (March 12, 2020) — DAI/MCD: Cascading ETH price crash combined with mempool congestion caused some liquidation auctions to be won at $0 bids. ~$6M of system shortfall was absorbed by minting MKR to recapitalize. Affected users were later partly compensated via DAO vote. The liquidation system was redesigned (Liquidations 2.0, audited by Quantstamp). USDS did not exist yet
  • USDC depeg (March 11, 2023): Circle's USDC briefly traded as low as ~$0.88 following Silicon Valley Bank exposure. DAI traded down with it (~$0.88 floor) because of the USDC PSM dependency. Sky/Maker responded by widening PSM fees temporarily and accelerating diversification into RWAs. USDS would inherit the same USDC peg exposure today — a USDC depeg is the largest non-bug peg risk to USDS
  • No USDS/sUSDS/LitePSM-specific incidents since their respective launches (~20 months at this snapshot)
• TVL stability: USDS supply has only grown since launch, with no reported large depositor exits or forced unwinds. The 0.47% peg deviation in Oct 2025 was small and short-lived.

Funds Management

How USDS Is Issued

USDS has no dedicated CDP system. Every USDS in existence has come from one of the following channels:

1. DAI → USDS via the DAI-USDS Converter (0x3225737a…F276A)

   • User sends n DAI → receives n USDS, no fee, single transaction
   • Implementation: pulls DAI to itself, then calls usdsJoin.exit() to mint USDS to the caller
   • Reverse direction is symmetric and identical
   • Implication: USDS is fungible with DAI at protocol level. Any DAI holder is a latent USDS arbitrageur

2. USDC → USDS via the LitePSM Wrapper (0xA188EEC8…0f98c)

   • User calls sellGem(usr, gemAmt): wrapper pulls USDC → calls underlying LitePSM sellGem() → DAI minted to wrapper → wrapper calls daiUsds.daiToUsds() → USDS delivered to user
   • Reverse (buyGem(usr, gemAmt)): user sends USDS → converter swaps to DAI → LitePSM buyGem() exchanges DAI for USDC out of the Pocket → USDC delivered to user
   • Fees: tin = tout = 0 (zero). The LitePSM buf (400M DAI) acts as a hot supply buffer so user swaps do not have to wait for VAT bookkeeping
   • Capacity:
     • USDC → USDS direction: bounded by buf (400M DAI per refill cycle, keeper-replenished) and ultimately by the Sky governance-set line for the PSM ilk in the VAT
     • USDS → USDC direction: bounded by the Pocket USDC balance (currently ~3.80B USDC)
   • Atomic: yes — entire path completes in one transaction

3. D3M (Direct Deposit Module) — Sky governance can mint USDS directly to lending markets (Spark, Aave-Lido) up to per-market debt ceilings, where the USDS is borrowed by users. At the snapshot, the Spark Aave-Lido USDS pool (DIRECT_SPK_AAVE_LIDO_USDS_POOL) holds 0 USDS, so this channel is currently dormant for that specific pool

4. MakerDAO/Sky CDPs (ETH-A, ETH-B, wstETH-A, WBTC-A, USDC-A vault, RWA- vaults, LockStake)* — borrowers post collateral, draw DAI (which they can then swap to USDS via the converter). These vaults are over-collateralized at the ilk level (typical liquidation ratios 145–170% for crypto, 100%+ for RWAs)

All four channels ultimately settle through MCD_VAT (0x35D1b3F3…34267082920034666596031), which at the snapshot reports debt() ≈ 13,159,236,494,695,853,301,099,546,069,248,924,267,082,920,034,666,596,031 in rad units → ~13.16B normalized debt. The corresponding DAI + USDS issued supply (Ethereum mainnet) is ~4.37B + ~8.07B ≈ ~12.44B, and the difference represents stability-fee accrual and surplus in MCD_VOW.

Accessibility

Operation	Permission	Atomic?	Fees	Limits
USDC → USDS (LitePSM Wrapper)	Permissionless	Yes (1 tx)	0	buf = 400M DAI per fill; capped by PSM line in VAT
USDS → USDC (LitePSM Wrapper)	Permissionless	Yes (1 tx)	0	Pocket USDC balance (~3.80B)
DAI ↔ USDS (Converter)	Permissionless	Yes (1 tx)	0	None — direct mint/burn through USDS_JOIN
Deposit USDS → sUSDS	Permissionless	Yes (1 tx)	0	None (sUSDS is unbounded ERC-4626)
Withdraw USDS ← sUSDS	Permissionless	Yes (1 tx)	0	None
Mint USDS directly	Wards-gated — only contracts in USDS.wards == 1 (currently USDS_JOIN and PauseProxy)	—	—	Only PauseProxy can grant new wards; new ward requires a passed Chief spell + 48 h GSM delay

There is no whitelist on swaps, no KYC requirement, no cooldown, and no withdrawal queue for sUSDS. All flows are single-transaction.

Collateralization

USDS does not have a clean "this collateral backs this token" picture — it inherits the full Sky/MakerDAO collateral book. Backing comes from these MCD_VAT ilks (publicly reported in the chainlog):

Class	Description	Approximate role in backing
Crypto-backed CDPs (ETH-A, ETH-B, wstETH-A, RETH-A, WBTC-A, etc.)	Over-collateralized loans, ~145–170% liquidation ratio	Volatile, on-chain liquidatable. Historically the dominant backing in early MCD
USDC PSM (LitePSM)	Pocket holds USDC 1:1	~$3.80B USDC at snapshot (largest single backing line for USDS-USDC swap capacity)
RWA vaults (RWA001–RWA015 ilks, Janitor/Conduit/Output flows)	Tokenized US Treasury bills (Monetalis, BlockTower, Centrifuge, Andromeda)	Significant chunk (historically 30–50% of total backing) but offchain custody at TradFi institutions — only transparent via attestation
LockStake (SKY token staked)	Borrow against locked SKY	Smaller, governance-token-backed
D3M (Spark/Aave Direct Deposit Modules)	USDS minted into lending pools where it's borrowed against external collateral	Capacity-extension mechanism rather than primary backing
GUSD-A PSM	Gemini USD-backed PSM	Smaller secondary PSM
PAX-A PSM (MCD_PSM_PAX_A)	Paxos USD-backed PSM	Smaller secondary PSM

System-level overcollateralization is not directly readable from a single onchain call — it requires aggregating per-ilk Art × rate (debt) and ink × oracle price × liquidation-ratio (locked collateral value). LlamaRisk and Sky governance dashboards typically report ~110–115% system-wide CR (with RWA marked at par). At the snapshot the VAT debt of ~13.16B against ~12.44B issued stables suggests a thin direct surplus, with the buffer in MCD_VOW absorbing differences.

Key takeaway for the USDS holder: the collateral mix is far better than a fiat-only stablecoin (no single banking dependency), but worse than a pure crypto-collateralized model (RWA is not fully transparent). For a USDC→USDS→sUSDS user specifically, the relevant backing slice is overwhelmingly the USDC PSM pocket (3.80B USDC), with the rest of the Sky book acting as a secondary solvency buffer. As long as the PSM peg arbitrage works, USDS effectively trades at the lower of peg(DAI) and peg(USDC).

Provability

• USDS exchange rate: Fixed 1 USDS = 1 USDS internally; the peg is enforced externally via the converter/PSM arbitrage chain (programmatic, fee-free)
• sUSDS exchange rate: convertToAssets(shares) is fully onchain via chi accumulator and ssr rate. Continuous accrual is a pure function of ssr and elapsed time since rho (last drip timestamp). At snapshot: chi = 1.0971, ssr = 1.0000000011367…, rho = 1779289691 (2026-05-15)
• System debt (VAT): Readable onchain via MCD_VAT.debt() and per-ilk urns(ilk, urn), ilks(ilk).Art, ilks(ilk).rate. Full reserve audit requires aggregating dozens of ilks but is mechanically possible from public RPC
• USDC PSM Pocket: USDC.balanceOf(pocket) is publicly callable — at snapshot returns 3,803,795,832,516,012 (3.80B USDC)
• RWA backing: Less transparent. Sky publishes monthly RWA attestations (custodian + auditor reports) on the Sky governance forum and tracker dashboards, but the underlying assets sit at TradFi custodians. This is a known limitation of the model and applies to a meaningful fraction of total backing
• Can admins mint USDS out of thin air? Yes, by definition — Sky governance (PauseProxy) can usds.rely(addr) to grant wards = 1 to any address, which then has unrestricted minting via the underlying contract. This change must go through Chief vote + 48 h GSM delay. At the snapshot, the only non-governance ward is USDS_JOIN, which itself only mints in response to a corresponding vat.suck / vat.move settled through valid collateral

Liquidity Risk

Primary Exit Path: LitePSM Wrapper (USDS → USDC)

• Direct 1:1 redemption with zero fee. Atomic in a single transaction
• Capacity (USDS → USDC): bounded by USDC balance in the Pocket = 3,803,795,833 USDC at snapshot. That is ~3.80B exit capacity in a single tx with 0% slippage
• No cooldown, no queue, no per-user cap. Anyone holding USDS can swap to USDC by calling WRAPPER_USDS_LITE_PSM_USDC_A.buyGem(usr, gemAmt)
• Reverse direction (USDC → USDS) is also atomic and zero-fee, bounded by the buf (400M DAI) per refill cycle. A CRON keeper job (CRON_LITE_PSM_JOB) regularly refills the buffer; under heavy demand the buffer can be refilled multiple times per day

Secondary Path: DAI-USDS Converter

• Atomic 1:1 conversion of USDS → DAI (or DAI → USDS), zero fee
• Unbounded — settles directly through USDS_JOIN and DAI_JOIN against MCD_VAT
• Useful when a user wants to access DAI-paired DEX liquidity (which is much deeper than direct USDS pairs)

Tertiary: sUSDS ERC-4626 Withdrawal

• redeem(shares, receiver, owner) returns USDS at the current chi rate, atomic, zero fee. Underlying USDS is minted on-demand via USDS_JOIN — there is no per-block withdrawal cap

DEX Liquidity

USDS DEX liquidity on Ethereum mainnet is meaningful but not the primary exit path — most large flows route through the PSM, not AMM pools. Top DEX pools touching USDS or sUSDS on Ethereum, from DefiLlama yields at snapshot:

Project	Pool	TVL ($)
Curve	PYUSD-USDS	~$100.0M
Curve	sUSDS-USDT	~$50.0M
Morpho Blue	sUSDS (multiple markets)	~$110M aggregate
Curve	DOLA-sUSDS	~$5.6M
Curve	USDS-stUSDS	~$7.1M
Uniswap V3	OHM-sUSDS	~$10.9M

Direct USDS-USDC DEX liquidity is small (no significant Curve/Uniswap USDS-USDC pool sits above $10M at the snapshot). This is because the PSM Wrapper provides zero-fee 1:1 USDC↔USDS swaps, so DEX routes cannot meaningfully out-price the PSM — there is no incentive for LPs to build deep USDS-USDC pools. For any reasonable Yearn integration size, the PSM (with ~$3.80B Pocket depth) is the dominant exit path; DEX liquidity is a secondary concern only at the multi-hundred-million-dollar scale.

Cross-Chain Liquidity

USDS bridges to L2s and other chains via the LayerZero OFT (USDS_OFT, owner = PauseProxy) and sister deployments on Base, Arbitrum, Optimism, Unichain. Cross-chain USDS supply is ~770M (the gap between Ethereum mainnet 8.07B and DefiLlama total 8.84B). For an Ethereum-mainnet-only Yearn strategy, OFT exposure is operationally none.

Historical Liquidity Under Stress

• During the October 2025 stablecoin stress event (USDS min price 0.9953), USDS-USDC swaps via the PSM remained available throughout — the peg deviation was driven by secondary AMM markets, not by Pocket depletion
• LITE_PSM_MOM.halt(...) has never been invoked. Full event-log scan of 0x467b32b0407Ad764f56304420Cddaa563bDab425 returns exactly 4 events since deployment, none of which are Halt(address indexed psm, Flow indexed what) (topic 0x495feb065552316a79c594a4305afbd632955a68b2c6f65ad8b2f62d150fea92). The 4 events are 2× SetOwner and 2× SetAuthority from initial deployment (final owner = PauseProxy, final authority = Chief). The emergency-halt channel exists but has never been used

Centralization & Control Risks

Governance

Sky uses token-weighted continuous-approval voting rather than a multisig:

Stage	Mechanism	Address
Vote	SKY holders lock SKY in Chief and approve a candidate "spell" address. Highest-voted spell becomes the hat	MCD_ADM = 0x929d…6f9
Execute	The hat schedules transactions on MCD_PAUSE (DSPause) which enforces a 48-hour delay	MCD_PAUSE = 0xbE28…38f3, delay = 172800
Apply	After the delay, MCD_PAUSE calls into MCD_PAUSE_PROXY which executes the spell's actions (e.g., changing ssr, granting wards, upgrading USDS implementation)	MCD_PAUSE_PROXY = 0xBE8E…aFF52
Emergency halt	LITE_PSM_MOM can halt PSM swaps without the 48 h delay if the current Chief hat authorizes it (authority = Chief, owner = PauseProxy)	LITE_PSM_MOM = 0x467b…b425

Strengths:

• Token-weighted vote in Chief is fully on-chain and continuously contestable — voters can re-deposit and shift weight at any time, providing fast response to malicious spells during the 48 h delay
• The 48 h MCD_PAUSE.delay() is shorter than the typical 7-day timelock assumed in the rubric (a score-1 criterion), but it has historically been sufficient for Sky's stakeholders to react and rotate the hat if needed. It can only be reduced through a passed spell that itself takes 48 h
• MCD_PAUSE has owner = address(0) — no admin shortcut
• Upgrades to USDS/sUSDS proxies require the PauseProxy to call upgradeToAndCall on the implementation. Same 48 h delay applies
• No EOA holds direct admin powers on USDS, sUSDS, LitePSM, or the Pocket. All sensitive wards mappings point to PauseProxy or other audited Sky contracts

Weaknesses:

• SKY token concentration risk: voting weight is proportional to SKY locked. Onchain at the snapshot:
  • Total SKY locked in Chief: 7,020,951,306 SKY (~29.9% of the 23.46B SKY supply)
  • Approvals for the current hat (0xA005…F596): 6,523,143,752 SKY (~27.8% of total supply; ~92.9% of locked SKY votes for the hat)
  • Top-10 individual voter concentration is non-trivial to derive purely from contract storage and is not resolved in this assessment — typical sources are Sky's voter dashboard or Chief Vote/Lock event aggregations. TODO: publish a top-10 voter snapshot via the Sky governance UI or a graph-aggregation, to track whether a small set of delegates can unilaterally hold the hat
• 48 h delay is at the low end for upgradeable stablecoin systems (compared to 7-day on many newer protocols). A determined attacker with sufficient SKY could theoretically push through harmful changes if they can hold the hat for 48 h without being out-voted
• Privileged role: PauseProxy can mint USDS to anyone by granting wards = 1 to a new address. This is the same "governance can do anything" property all DAO-controlled stablecoins share. The 48 h delay + onchain visibility is the only constraint

Programmability

Function	Onchain?	Notes
Mint / burn USDS via USDS_JOIN	Yes, programmatic	Settled through VAT; cannot exceed VAT debt-ceiling parameters
DAI ↔ USDS conversion	Yes, programmatic	Pure routing in DAI_USDS contract
USDC ↔ USDS via LitePSM Wrapper	Yes, programmatic	Wrapper routes through DAI LitePSM. PSM pocket is read directly
sUSDS chi accumulator	Yes, programmatic	Continuous accrual via ssr; drip() is permissionless
ssr rate parameter	Governance-set	Changed by Chief spell + 48 h delay
PSM tin/tout/buf parameters	Governance-set	Same flow
Halting the PSM	Authority-gated (LitePSM Mom; immediate if hat authorizes)	Used in emergency only
Upgrading USDS / sUSDS implementations	Governance-set	48 h delay

System operations are dominated by programmatic onchain logic. The governance touchpoints (rate setting, parameter tuning) are deterministic and visible; there is no off-chain keeper that drives the price or accrual.

External Dependencies

Dependency	Used By	Criticality	Notes
Circle / USDC	LitePSM Wrapper, Pocket holds 3.80B USDC	Critical for USDS-USDC swap path. A USDC freeze/blacklist on the Pocket or a USDC depeg would directly impair USDS-USDC convertibility	Circle has blacklisted addresses before (TornadoCash, OFAC sanctions). The Pocket has not been blacklisted but is on-chain visible and bounded by Circle's policy
DAI / MakerDAO core (VAT, Join, Pot, Pause, Chief)	All conversion paths	Critical — USDS shares the VAT with DAI. A bug in any MCD core contract impairs USDS	8+ years of production with documented incidents (Black Thursday) but no exploit since
Real-World Assets (RWA custodians)	Backing of ~30–50% of system debt	High but indirect for the USDC→USDS user	Custodians are TradFi (Monetalis, BlockTower, Centrifuge). Failures propagate to system solvency but don't directly impair swap atomicity
LayerZero (USDS_OFT, sUSDS_OFT)	Cross-chain bridging only	Low for Ethereum-mainnet user	Owner = PauseProxy. Affects cross-chain users, not mainnet
Chainlink / Oracle price feeds (MCD_SPOT)	Sets per-ilk liquidation prices for collateral CDPs	Indirect — bad oracle → bad liquidations → solvency hit	Mature oracle setup with multi-source feeds
LITE_PSM_MOM emergency halter	Can pause USDC-USDS PSM swaps instantly	Trust dependency: the elected hat can halt PSM at will	Visible onchain; governance can override

Quality: dependencies are predominantly blue-chip (Circle, MakerDAO core, Chainlink). The most material concentration is the USDC dependency: the on-chain USDC reserve currently makes up ~30%+ of the direct backing of USDS issued via the swap path, and any USDS holder who plans to exit to USDC implicitly trusts Circle.

Operational Risk

• Team: Sky Foundation (formerly MakerDAO) — established 2017, publicly known team including Rune Christensen (co-founder), Sébastien Derivaux, and others. Long track record of operating a multi-billion-dollar protocol
• Legal entity: "Skybase International" operates the sky.money front-end per the user-risks legal page. The Sky Protocol itself is described as "non-custodial blockchain-based software". Per Section 5 / 6 of the Skybase International Terms of Use, the Terms (and any non-contractual obligations) are governed by the laws of the Cayman Islands, with arbitration under the Cayman Islands Association of Mediators and Arbitrators (CI-ArbCA) and the seat of arbitration in George Town, Grand Cayman. Courts of the Cayman Islands hold exclusive jurisdiction for non-arbitrable disputes. US residents are explicitly excluded from certain features (Sky Savings Rate and Sky Token Rewards)
• Documentation: Comprehensive — Sky maintains developers.skyeco.com, docs.sky.money, the public chainlog (chainlog.sky.money), GitHub org sky-ecosystem with all production contract source code, and detailed governance forum at forum.sky.money
• Incident response track record:
  • Black Thursday (March 2020) — Sky/MakerDAO governance held an emergency vote, minted MKR to recapitalize the system, paused vulnerable auctions, and shipped Liquidations 2.0
  • USDC depeg (March 2023) — governance widened PSM fees temporarily and accelerated RWA diversification
  • No USDS-specific incidents to date
• Monitoring infrastructure: Sky publishes a live chainlog with all production addresses; LlamaRisk and Block Analitica produce regular risk dashboards. The Yearn monitoring repository already includes USDS-adjacent strategies (yvUSDS-1) in its hourly Telegram-alert pipeline (source)
• Bug bounty: $10M Immunefi, live 4+ years
• Disclosed legal risks: user-risks explicitly warns about front-end attacks, "altering the interface to display incorrect information," "injecting malicious transaction data," and "phishing attacks." US residents are excluded from certain features

Monitoring

Key Contracts to Monitor

Contract	Address	Critical Values / Events
USDS	0xdC035D45d973E3EC169d2276DDab16f1e407384F	totalSupply(), Upgraded(impl) event (implementation change), Rely(usr) / Deny(usr) events on wards
sUSDS	0xa3931d71877C0E7a3148CB7Eb4463524FEc27fbD	chi(), ssr(), totalAssets(), Upgraded(impl), Drip() event frequency
LitePSM Wrapper	0xA188EEC8F81263234dA3622A406892F3D630f98c	BuyGem / SellGem events, halted state of underlying PSM
Underlying LitePSM	0xf6e72Db5454dd049d0788e411b06CfAF16853042	tin, tout, buf, Halt events
USDC Pocket	0x37305B1cD40574E4C5Ce33f8e8306Be057fD7341	USDC.balanceOf(pocket) — exit-capacity gauge
LitePSM Mom	0x467b32b0407Ad764f56304420Cddaa563bDab425	Any call (would be an emergency halt)
MCD_PAUSE	0xbE286431454714F511008713973d3B053A2d38f3	Plot events (scheduled spells), delay() value, Exec
MCD_PAUSE_PROXY	0xBE8E3e3618f7474F8cB1d074A26afFef007E98FB	Outgoing calls = enacted governance
Chief	0x929d9A1435662357F54AdcF64DcEE4d6b867a6f9	hat() rotation, top approvals
DAI-USDS Converter	0x3225737a9Bbb6473CB4a45b7244ACa2BeFdB276A	Volume
USDC token at Pocket	USDC.balanceOf(pocket)	Pocket reserve level

Critical Values, Thresholds, and Frequency

Metric	Source	Threshold to alert	Frequency
USDS spot price	DEX TWAP / CoinGecko	< $0.995 or > $1.005 (>0.5% deviation)	15 min
USDC Pocket balance	onchain	< $500M (would signal heavy redemption load)	Hourly
LitePSM tin, tout, buf	onchain	Any change	On Rely/File event
LitePSM Halt	event log	Any Halt event	Real time
MCD_PAUSE scheduled spells	Plot event	Any spell touching USDS / sUSDS / PSM / Pocket	Real time on event
sUSDS ssr rate	onchain	Any change >50 bps APY	On change
USDS / sUSDS implementation slot	EIP-1967 slot	Any change → Upgraded event	Real time on event
Chief.hat() rotation	onchain	New hat address	Real time on event
USDS total supply (cross-chain via OFT)	DefiLlama API	Sudden >5% drop in 24 h	Daily

Recommended Functions for Programmatic Monitoring

USDS.totalSupply()                                  // mainnet supply
USDS.wards(addr)                                    // detect new minters
sUSDS.ssr()                                         // current per-second SSR
sUSDS.chi()                                         // accumulator (must only increase)
sUSDS.totalAssets()                                 // USDS held by savings vault
USDC.balanceOf(MCD_LITE_PSM_USDC_A_POCKET)          // PSM exit-capacity
MCD_LITE_PSM_USDC_A.tin() / .tout() / .buf()         // PSM economics
MCD_PAUSE.delay()                                   // GSM delay
Chief.hat()                                         // current elected spell

For offchain context, monitor the Sky governance forum for posted spells. The current LlamaRisk research index does not list a standalone post-rebrand Sky/USDS assessment (9 articles visible, none on USDS); LlamaRisk has historically published Maker / DAI / RWA-exposure articles and acts as risk advisor for Aave's USDS onboarding, but the most recent dedicated risk report on the Sky stack predates the USDS rebrand.

Appendix: Contract Architecture

Snapshot block 25137266 (May 20, 2026).

┌──────────────────────────────────────────────────────────────────────────┐
│                              USER LAYER                                   │
│                                                                           │
│   user holds USDC ───────┐               ┌────── user holds USDS          │
│                          ▼               ▼                                │
│   ┌──────────────────────────────────────────────────────┐                │
│   │  WRAPPER_USDS_LITE_PSM_USDC_A  (0xA188…f98c)         │                │
│   │  sellGem / buyGem  — atomic, 0% fee, 1:1            │                │
│   └────────────────┬──────────────────────┬─────────────┘                │
│                    │                      │                              │
│                    │  daiUsds.daiToUsds   │  daiUsds.usdsToDai            │
│                    ▼                      ▼                              │
│   ┌──────────────────┐         ┌──────────────────────┐                  │
│   │ DAI_USDS         │         │  MCD_LITE_PSM_USDC_A │                  │
│   │ 0x3225…F276A     │◄────────│  0xf6e7…3042         │  buf=400M DAI    │
│   │ 1:1 DAI↔USDS     │         │  tin=tout=0          │                  │
│   └─────────┬────────┘         └──────────┬───────────┘                  │
│             │                             │                              │
│             │  usdsJoin / daiJoin         │  pocket holds USDC           │
│             ▼                             ▼                              │
│   ┌──────────────────┐         ┌──────────────────────┐                  │
│   │ USDS_JOIN        │         │  POCKET              │ 3.80B USDC       │
│   │ 0x3C0f…7FEB      │         │  0x3730…7341         │                  │
│   │ wards[USDS] = 1  │         └──────────────────────┘                  │
│   └─────────┬────────┘                                                   │
│             │                                                             │
│             ▼                                                             │
│   ┌──────────────────────────────────────────────────┐                   │
│   │              MCD_VAT (core ledger)                │  ~13.16B debt    │
│   │              0x35D1…492B                          │  (DAI+USDS)      │
│   │  Holds all ilk debt: ETH-A, wstETH-A, RWA-*,     │                  │
│   │  PSM-USDC-A, LockStake, D3M Spark, etc.          │                  │
│   └──────────────────────────────────────────────────┘                   │
└──────────────────────────────────────────────────────────────────────────┘
                                  │
                                  │
                          USDS-denominated
                                  │
                                  ▼
┌──────────────────────────────────────────────────────────────────────────┐
│                           SAVINGS LAYER                                   │
│                                                                           │
│   user deposits USDS                                                      │
│                  │                                                        │
│                  ▼                                                        │
│   ┌──────────────────────────────────────────────────┐                   │
│   │  sUSDS  (0xa393…7fbD)  — ERC-4626                │                   │
│   │  implementation 0x4e79…61e0                       │                   │
│   │  chi = 1.0971   ssr = ~3.65% APY                 │                   │
│   │  totalAssets() = 5.82B USDS                      │                   │
│   │  totalSupply()  = 5.31B sUSDS                    │                   │
│   └──────────────┬───────────────────────────────────┘                   │
│                  │  drip() accrues from USDS_JOIN via VAT/VOW            │
│                  ▼                                                        │
│             SSR yield (parameter set by governance)                       │
└──────────────────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────────┐
│                         GOVERNANCE LAYER                                  │
│                                                                           │
│   SKY holders (23.46B total supply)                                       │
│         │                                                                 │
│         │  lock + approve                                                 │
│         ▼                                                                 │
│   ┌──────────────────────┐                                                │
│   │   MCD_ADM  (Chief)   │  hat() = 0xA005…f596                          │
│   │   0x929d…6f9         │  continuous-approval                          │
│   └──────────┬───────────┘                                                │
│              │                                                            │
│              │  plot spell                                                │
│              ▼                                                            │
│   ┌──────────────────────┐                                                │
│   │   MCD_PAUSE          │  delay = 172800 (48 h GSM)                    │
│   │   0xbE28…38f3        │                                                │
│   └──────────┬───────────┘                                                │
│              │                                                            │
│              │  exec after delay                                          │
│              ▼                                                            │
│   ┌──────────────────────┐                                                │
│   │   MCD_PAUSE_PROXY    │  executes spells; wards[USDS]=1,              │
│   │   0xBE8E…aFF52       │  wards[sUSDS]=1, owns USDS/sUSDS upgrades     │
│   └──────────┬───────────┘                                                │
│              │                                                            │
│              ▼                                                            │
│      modifies parameters on USDS, sUSDS, LitePSM, VAT, etc.              │
│                                                                           │
│   Emergency channel (no 48 h delay):                                      │
│   ┌──────────────────────┐                                                │
│   │  LITE_PSM_MOM        │  authority=Chief, owner=PauseProxy            │
│   │  0x467b…b425         │  HALT() pauses USDC↔USDS swaps instantly      │
│   └──────────────────────┘                                                │
└──────────────────────────────────────────────────────────────────────────┘

---

Reassessment Triggers

• Time-based: Reassess in 6 months (November 2026) or annually. After September 2026, the >2-year-no-incident modifier becomes available and may reduce the score further.
• TVL-based:
  • USDS supply drops >25% from snapshot (~$8.07B → <$6B) — would indicate material loss of confidence or large policy event
  • sUSDS share of USDS supply drops below 50% (currently ~72%) — would indicate SSR has been cut materially or savers are exiting
  • USDC Pocket balance drops below $500M — would indicate sustained exit pressure and compromise of the deep-redemption story
• Parameter-based:
  • LITE_PSM_USDC_A.tin or tout changes from zero (fees introduced) → harden Liquidity score
  • LITE_PSM_USDC_A.buf changes materially → re-evaluate exit capacity for USDC→USDS direction
  • sUSDS.ssr changes by >50 bps APY → not a risk event but warrants user-facing notice
  • MCD_PAUSE.delay() is reduced below 48 h → governance score worsens
  • USDS.wards() grants a ward outside the current set (USDS_JOIN, PauseProxy) → re-review mint authority
• Incident-based:
  • Any LITE_PSM_MOM.HALT() invocation (emergency PSM halt)
  • Any USDS depeg deeper than ±1% sustained for >24 h
  • Any USDC depeg event (would propagate to USDS via PSM)
  • Any exploit or governance attack on the Sky/MCD core (Chief, Pause, VAT, USDS, sUSDS, LitePSM, USDS_JOIN, DAI_USDS, Pocket, OFT)
  • Any blacklisting of the USDC Pocket by Circle
• Governance-based:
  • SKY voter concentration changes materially (e.g. single voter exceeds majority of Chief.approvals(hat)) — TODO: set up quarterly snapshot once data source identified
  • New USDS / sUSDS implementation deployed (would reset the audit baseline)
  • RWA program changes materially (new custodians, large reallocations, custodian incidents)

---

Open Items

Resolved in this assessment pass:

• ✅ Skybase International jurisdiction: Cayman Islands — confirmed in the Terms of Use (governing law = Cayman Islands; arbitration seat = George Town, Grand Cayman; exclusive court jurisdiction = Cayman Islands). Reflected in the Operational Risk section
• ✅ DEX liquidity sanity check: verified via DefiLlama yields — top direct USDS-paired pool is Curve PYUSD-USDS at ~$100M; direct USDS-USDC DEX liquidity is intentionally thin because the PSM provides zero-fee 1:1 swaps with $3.80B depth (no LP incentive to build deeper USDS-USDC pools). Reflected in the Liquidity Risk section
• ✅ LITE_PSM_MOM.halt(...) history: confirmed via full Etherscan log scan of 0x467b…b425 — only 4 events ever (2× SetOwner, 2× SetAuthority from deployment setup). Halt has never been invoked. Reflected in the Liquidity Risk section
• ✅ Latest LlamaRisk / Steakhouse coverage: the current LlamaRisk research index lists 9 articles, none on Sky/USDS post-rebrand. LlamaRisk has historically published Maker/DAI work (e.g. "MakerDAO Endgame and its Repercussions on Curve Finance", "DAI Exposure to Real World Assets") and has acted as risk advisor for Aave's USDS/sUSDS onboarding — but no standalone post-rebrand assessment exists at the time of this report

Remaining TODOs (true open items, manual follow-up):

• TODO: Top-10 SKY voter / approver snapshot. At the snapshot the hat has 6.52B SKY approvals (~92.9% of locked SKY in Chief), but breakdown by individual address requires offchain enrichment (Sky governance UI / a subgraph of Vote/Lock events). Useful for sizing the realistic minimum SKY budget required to hold the hat in an attack
• TODO: Confirm RWA backing share of total VAT debt at snapshot — Sky publishes attestations on the governance forum but a programmatic per-ilk aggregation is recommended as part of routine monitoring