DeFiScan

@defiscan

23 Following

4 Followers

DeFiScan pfp

We trusted governments; they failed us We trusted corporations; they robbed us We trusted billionaires; they played with us How about we stop trusting and harness the core - humanity changing benefit - that blockchains enable? Do not give even the chance to be evil. defiscan.info

0 reply

0 recast

0 reaction

DeFiScan pfp

Overall Score: Stage 0 The Sky protocol exposes critical permissions that are not protected with an Exit Window of at least 7 days or a Security Council and thus earns a High centralization risk score for its Upgradeability and Exit Window dimensions. Furthermore, Sky is exposed to centralization risks from its USDC and Chronicle dependencies, resulting in an overall High centralization risk score for the Autonomy dimension. Sky thus achieves a decentralization of Stage 0. The protocol could reach Stage 1 by: 1. No longer swapping its $USDS with Circle's $USDC in a blind fashion 2. Increase its Exit Window to at least 7 days or establish a Security Council. It could further reach Stage 2 with: 1. An Exit Window of at least 30 days 2. Changing its oracle provider to a Stage 2 or equivalent protocol. This could also be achieved if Chronicle increases its Exit Window to 30 days.

0 reply

0 recast

0 reaction

DeFiScan pfp

🔗Links ✍️Protocol Reviewer: @mmilien_ (https://x.com/@mmilien_) 📜DeFiScan complete review @makerdao (https://x.com/@SkyEcosystem) Website (https://sky.money/) GitHub (https://github.com/makerdao) DeFiLlama (https://defillama.com/protocol/sky-lending)

0 reply

0 recast

0 reaction

DeFiScan pfp

🚪Accessibility 🟢Low Accessibility Centralization Score Sky has a main frontend at sky.money. The frontend is not self-hostable nor open source, but multiple other access points exist with Sky-specific apps such as Spark or third-party apps like DeFiSaver or SummerFi Pro. These apps build an acceptable backup solution in case of failure of the official frontend.

0 reply

0 recast

0 reaction

DeFiScan pfp

In addition to that, an Emergency Shutdown Module exists and can shut down the entire protocol if 500,000 MKR tokens are irreversibly sent to the Emergency Shutdown Contract. Once the process is started, a specific timeline allows token holders and vault users to receive the net value of their assets. If the process is activated, it is irreversible, a fork would need to be created in order to revive the protocol. It is assumed that there are 2 scenarios: 1. A malicious majority is hijacking the Sky Governance. The only option once the system is shut down is to set up an alternative fork in which the malicious users' funds are slashed, and the users who shut down the system see their funds restored. 2. A critical bug was discovered and prevented with a system shutdown. The Sky Governance can refund users who shut down the system by minting new tokens.

0 reply

0 recast

0 reaction

DeFiScan pfp

🔴High Exit Window Centralization Score All permissions within Sky are held by the onchain Sky Governance. There are no external accounts or multisigs in control. The minimum delay between approval and execution of a Sky Governance proposal is 18 hours, recently reduced from 30 hours in an emergency proposal. The Sky Governance has a continuous proposal model, which means voters need to migrate their vote from the current proposal to a new proposal. The proposal with the most votes at any time is accepted and can be executed once its delay has passed. Emergency measures permissions allow the Sky Governance to pause certain contracts through a proposal without being subject to the mandatory delay. This is the case for all contracts that have a Mom who can pause or stop their child.

0 reply

0 recast

0 reaction

DeFiScan pfp

@chroniclelabs The Sky protocol also relies on the provider Chronicle for price feeds of collateral assets. Chronicle is an oracle protocol that computes a median price from multiple sources. The protocol contains validators who push new prices and challengers who can freeze and challenge new prices. The validator set of an oracle can be changed with a delay of 7 days. We analysed Chronicle's decentralization in a dedicated report here. An Oracle Security Module (OSM) enforces a 1-hour window on price updates, and the governance can freeze the current price value to prevent further updates. In addition to freezing prices, the MakerDAO governance can change the oracle provider with a governance proposal.

0 reply

0 recast

0 reaction

DeFiScan pfp

⛅Autonomy 🔴High Autonomy Centralization Score Circle's $USDC Sky has a centralized dependency on Circle and its $USDC stablecoin token. Users can mint $USDS from $USDC at a fixed 1:1 rate. This means that $USDS is directly pegged to $USDC which is a centralized stablecoin. This conversion may be stopped or paused in an emergency Sky Governance proposal. There is a debt ceiling limiting how much $USDS can be backed by $USDC. Nonetheless, at the time of writing, this debt ceiling is high enough that it does not prevent more than 50% of the collateral in Sky from being backed by USDC. The ceiling is explained further in the dependencies section.

0 reply

0 recast

0 reaction

DeFiScan pfp

🚨Upgradability 🔴High Upgradability Centralization Score $USDS and $sUSDS, respectively Sky's stablecoin and its corresponding yield-bearing version, are upgradeable contracts through Sky Governance proposals. Updating those contracts could change the entire logic of those tokens and may incur a loss of funds for users. Critical parameters in the Sky protocol can be changed through Sky Governance proposals. Unwanted updates to these parameters can result in the loss of funds, loss of unclaimed yield, or otherwise materially impact the expected protocol performance. Example actions are: - Forced liquidations, which would result in loss of user funds. - Creating unbacked debt, which could endanger the protocol's stability. - Pausing the contracts, which could trap user funds for an undetermined amount of time.

0 reply

0 recast

0 reaction

DeFiScan pfp

Decentralization Assessments ⛓️Chain 🟢The report is concerned with the Sky instance deployed on Ethereum mainnet. Ethereum achieves a Low chain centralization score.

0 reply

0 recast

0 reaction

DeFiScan pfp

Sky's decentralization review @makerdao' Sky is a stablecoin protocol allowing users to mint its USDS stablecoin through Collateralized Debt Positions with a variety of crypto collateral assets. Sky is built on the Maker protocol, by the MakerDAO, to replace the DAI stablecoin and allow for the 1:1 conversion between DAI and USDS. USDS can further be staked for the yield-bearing sUSDS token. Various levels of control over the Sky protocol are exercised through an onchain governance system.

0 reply

1 recast

1 reaction

DeFiScan pfp

⚠️Reviewer Notes During our analysis, we identified a unverified role (not mentioned in the docs) Role Id is 0xd1d2cf869016112a9af1107bcf43c3759daf22cf734aad47d0c9c726e33bc782. The owners of this role are related to the V2 to V3 migration. 🔗Links ✍️Protocol Reviewer: @boutellier_yves (https://x.com/@boutellier_yves) 📜DeFiScan complete review (https://www.defiscan.info/protocols/aave) @aave (https://x.com/@aave) Website (https://aave.com/) GitHub (https://github.com/aave-dao/aave-v3-origin) DeFiLlama (https://defillama.com/protocol/aave-v3)

0 reply

0 recast

0 reaction

DeFiScan pfp

Overall Score: Stage 0 The Aave v3 Ethereum mainnet protocol achieves High centralization risk scores for its Upgradeability, Autonomy and Exit Window dimensions. It thus ranks Stage 0. The protocol could reach Stage 1 by; 1. Adopting the security council requirements for the Emergency Admin multisig account 2. Implementing fallback mechanism around the Chainlink oracle (or Chainlink adopting a Security Council setup for its own multisig account). The project additionally could advance to Stage 2 if all critical permissions were assigned to Aave Governance and protected with a 30-day Exit Window.

0 reply

0 recast

0 reaction

DeFiScan pfp

🚪Accessibility 🟢Low Accessibility Score The official frontend to the Aave V3 protocol is open source and each commit on Aave's GitHub repository is published to IPFS (https://github.com/aave/interface/releases). In addition to that the Aave v3 protocol is also available through DeFi Saver and other third-party tools(https://aave.com/help/aave-101/accessing-aave).

0 reply

0 recast

0 reaction

DeFiScan pfp

While hese Exit Windows do not qualify for a Low or Medium score, the risk of unwanted updates is further mitigated by the Aave Governance V3 Guardian multisig, which adheres to the Security Council requirements, and can cancel unintended governance proposals. However, these safeguards do only apply to permissions controlled by Aave Governance. The Emergency Admin multisig too holds critical permissions which are not protected with an Exit Window or Security Council setup. Specifically, the Emergency Admin is able to pause individual Aave markets or the entire protocol as well as disabling the liquidation grace period. If compromised e.g. during a high-volatility market, these permissions could be taken advantage of, in order to execute controlled liquidations. Meanwhile the permissions of multisig accounts Risk Council for GHO and for the Pool contract are sufficiently restricted by steward contracts in terms of frequency of updates and magnitude of the updates, such that an exit window is not required.

0 reply

0 recast

0 reaction

DeFiScan pfp

🪟Exit Window 🔴High Exit Window Score Critical permissions, including protocol upgrades, are controlled by Aave Governance and an Emergency Admin multisig account. Two levels of permissions are separated in the (current) implementation of Aave Governance: -Level 2 defines permissions on the governance system itself and on the AAVE token contract -Level 1 covers the remaining permissions. AAVE holders (also stkAAVE, aAAVE) are able to: -Create new proposals (requires 80,000 / 200,000 votes for Level 1 / Level 2) -Vote on proposals. A valid proposal must have at least 320,000 / 1,040,000 votes with a voting differential (YAE minus no votes) of 80,000 / 1,040,000 votes). -Votes start 1 day after proposal creation and the voting period is 3 / 10 days -The execution of successful votes is blocked by an Exit Window with a delay of 1 / 7 days.

0 reply

0 recast

0 reaction

DeFiScan pfp

Cross-chain vote Votes are currently held on Polygon by using a system called a.DI for cross-chain communication developed by the Aave Community (BGD Labs). The a.DI does not rely on a single bridge provider to move messages across different networks, but uses a x/y threshold, sending the messages in parallel via different bridge providers, reducing the dependency on a single provider. If the community cannot or does not want to use the a.DI or the other voting networks, then the community still can carry out the vote on Ethereum Mainnet. This would eliminate the cross-chain dependencies for voting. The cross-chain voting system has low centralization risk because of its fault tolerant design, while the oracle system is currently unmitigated.

0 reply

0 recast

0 reaction

DeFiScan pfp

⛅Autonomy 🔴High Autonomy Score Oracle and Prices The Aave V3 protocol relies on Chainlink oracle feeds to price collateral and borrowed assets in the system. The protocol does currently have limited validation on asset prices provided by Chainlink. These checks include upper caps for stablecoins and LSTs and a sanity check that the price is above 0 for all assets. If the reported price by the price feed was below 0, a fallback oracle would be queried. Aave has currently no fallback oracle price feeds instantiated. As a consequence if the price was equal to or below 0, user actions on the Pool contract that require a price would revert. The replacement of a stale or untrusted oracle price feed requires a governance vote on permission level 1. The Chainlink oracle system itself is upgradeable without decentralized ownership over those permissions. This dependency thus introduces centralization risk in the Aave V3 protocol.

0 reply

0 recast

0 reaction

DeFiScan pfp

During this window, users can exit the Aave v3 protocol. Furthermore, the Aave Governance v3 Guardian (https://defiscan-git-add-aave-v3-defiscan.vercel.app/protocols/aave#security-council) multisig account, adhering to the Security Council requirements, can cancel the execution of unintended proposals. On the other hand, this control can be abused to censor regular proposals with majority support. Also note that the (current) implementation of GovernanceV3 enables a native multi-chain governance process. Specifically, this process enables proposals to designate a different chain for holding governance votes. While Aave v3's proprietary cross-chain messaging protocol, called a.DI, itself does not exhibit centralized control, it makes the governance process susceptible to control over the designated chain (where voting occurs) itself. Aave V3 Governance can always decide to host the vote on Ethereum Mainnet.

0 reply

0 recast

0 reaction

DeFiScan pfp

Aave Governance Aave Governance refers to Aave v3's onchain governance system which controls contract upgrades as well as other critical permissions as outlined above. We discuss the governance process itself in the Exit Window section and here focus on upgradeability and control in this module itself. This governance process is implemented in the GovernanceV3 contract which is fully upgradeable through a permissionless governance proposal. Hence, an unintended proposal could change the Aave Governance system and reassign its control to a less robust or fully centralized setup. In order to mitigate this risk, upgrades to the GovernanceV3 contract, as well as the AAVE token, require passing a 7 day Exit Window (https://defiscan-git-add-aave-v3-defiscan.vercel.app/protocols/aave#exit-window).

0 reply

0 recast

0 reaction