Sky Lending (formerly MakerDAO)

DeploymentsEthereum · $5.5B

Risk profile at a glance

0 red · 3 yellow · 10 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 7 25 of 25

RD-F-001 yellow Audit scope mismatch Extensive audit history covers all major modules (Trail of Bits + PeckShield 2019 for Vat; ChainSecurity + Cantina + Sherlock 2024 for Endgame/USDS). Exact commit SHA matching not independently verifiable without PDF parsing. No material scope mismatch identified. RD-F-002 yellow Audit recency USDS audited ChainSecurity 2024-09-30 and Cantina 2024-09-26 (~7 months, green). sUSDS audited 2025-08 (~8 months, green). Core Vat last independently audited 2019 (~77 months) but bytecode is unchanged since deploy. RD-F-006 yellow Audit-to-deploy gap Original Vat: ToB audit ended 2018-11-16, deploy 2019-11-13 (~362 day gap — red by >180d threshold, but deliberate development period with concurrent Runtime Verification FV). Sherlock Endgame contest ended 2024-08-05, USDS deploy 2024-09-02 (~28 days — green). Endgame modules generally within threshold. RD-F-009 yellow Formal verification coverage Runtime Verification K-specification covers MCD core invariants (2019). Certora FV specs present in sky-ecosystem/usds (Usds.spec, DaiUsds.spec, UsdsJoin.spec). Newer modules (stUSDS, LockStake) do not have documented FV coverage. Partial FV across the system. RD-F-019 yellow ecrecover zero-address return unchecked DAI token permit() checks holder != address(0) before comparing to ecrecover result, providing functional but non-OZ-standard protection. USDS token uses OZ ERC-20PermitUpgradeable (standard-compliant). Core Vat does not use ecrecover. RD-F-010 gray Static-analyzer high-severity count No Slither/Mythril/Semgrep tool run performed. Published audits (ToB 2019: 2 medium/4 low; PeckShield 2019: 1 high resolved/1 medium; ChainSecurity 2024: no high unmitigated) indicate clean profile, but independent tool output unavailable.

RD-F-003 green Resolved-without-proof findings No findings marked Resolved without verifiable on-chain fix found. DSChief vulnerability patched with DSChief v1.2 deployment (on-chain verifiable). Black Thursday addressed by Liquidations 2.0 upgrade (audited + deployed 2021). Sherlock 2024 flagged issues were excluded as invalid by judge, not resolved.

RD-F-004 green Audit count 10 distinct audit firms identified: Trail of Bits, PeckShield, Runtime Verification, Quantstamp, ChainSecurity, Cantina, ABDK, Sherlock, Bok Consulting (SCD legacy), White Hat Group (SCD legacy). For deployed code: Trail of Bits + PeckShield (Vat); ChainSecurity + Cantina + Sherlock (Endgame).

RD-F-005 green Audit firm tier Trail of Bits (Tier-1) audited MCD core (2018-2019) and Liquidations 2.0 (2020-2021). ChainSecurity and Cantina (Tier-2 established firms) cover all 2024 Endgame modules. Runtime Verification provides K-specification formal verification.

RD-F-007 green Bug bounty presence & max payout Immunefi bug bounty active with $10,000,000 maximum payout for critical smart contract vulnerabilities. 216 assets in scope. Last updated 2026-02-26. Live since 2022-02-10. One of the largest bounties in DeFi.

RD-F-008 green Ignored bounty disclosure No evidence of ignored bounty disclosure. Black Thursday was operational failure (not suppressed bug). DSChief vuln disclosed proactively by OpenZeppelin; patched before exploitation. Flash-loan governance issue addressed with DSChief v1.2.

RD-F-011 green SELFDESTRUCT reachable from non-admin path No SELFDESTRUCT in MCD core contracts per ToB/PeckShield 2019 audits. USDS uses OZ UUPS pattern without SELFDESTRUCT. ESM cage() function is admin-only, governance-gated, and performs controlled shutdown (not SELFDESTRUCT).

RD-F-012 green delegatecall with user-controlled target Core Vat/MCD contracts do not use user-controlled delegatecall. DSPause uses delegatecall for governance spell execution — target is governance-approved executive spell address (48-hour GSM delay). Sherlock #47 multicall issue excluded as invalid by judge.

RD-F-013 green Arbitrary call with user-controlled target MCD Vat's external calls target pre-registered adapter contracts, not user-supplied addresses. DssFlash (ERC-3156) uses standard flash loan callback pattern with repayment validation. No arbitrary call-with-user-target found.

RD-F-014 green Reentrancy guard on external-calling functions MCD architecture uses checks-effects-interactions pattern. Vat frob() commits state to internal ledger before any ERC-20 token transfers (via GemJoin pattern). No reentrancy findings in ToB/PeckShield audits. Sherlock #47 reentrancy excluded as invalid.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard MCD system operates exclusively with ERC-20 collateral tokens. No ERC-777/1155/721 token integrations. Governance adds collateral types via executive spells using GemJoin adapter interface (ERC-20 only).

RD-F-016 green Divide-before-multiply pattern MCD uses RAY (10^27) / WAD (10^18) fixed-point arithmetic with multiplication before division in all price-critical paths. No divide-before-multiply pattern found in ToB/PeckShield audits.

RD-F-017 green Mixed-decimals math without explicit scaling All MCD cross-decimal arithmetic uses explicit RAD/RAY/WAD normalization. GemJoin adapters perform token-decimal normalization. dss dai.sol uses 18-decimal WAD throughout. No mixed-decimal math issue found in any audit.

RD-F-018 green Signed/unsigned arithmetic confusion Vat frob() accepts int256 parameters with explicit signed/unsigned conversion via custom _add(uint,int) helper. This pattern reviewed by ToB 2019 with no overflow issues found. Endgame contracts use Solidity 0.8.x with native overflow protection.

RD-F-020 green EIP-712 domain separator missing chainId DAI DOMAIN_SEPARATOR constructed at deploy time with chainId included (prevents cross-chain replay). USDS token uses OZ ERC-20PermitUpgradeable which dynamically computes chainId. ChainId present in all relevant domain separators.

RD-F-021 green UUPS _authorizeUpgrade correctly permissioned USDS implementation _authorizeUpgrade(address) restricted by auth modifier (wards[msg.sender] == 1). Only governance-authorized ward holders can trigger upgrades. No open or unprotected _authorizeUpgrade found.

RD-F-022 green Public initialize() without initializer modifier USDS implementation exposes initialize() with OZ initializer modifier; constructor calls _disableInitializers(). Legacy MCD contracts (Vat, Pot, Jug) are non-proxied with constructor init — no initialize() present. No unprotected initialize found on any live implementation.

RD-F-023 green Constructor calls _disableInitializers() USDS implementation constructor explicitly calls _disableInitializers() per OZ best practice. Confirmed via Etherscan source and GitHub source inspection. Legacy non-proxied contracts (Vat etc.) are N/A for this factor.

RD-F-024 green Code complexity vs audit coverage MCD system audited component-by-component across multiple dedicated engagements (ToB + PeckShield + Runtime Verification for core; Quantstamp + ToB + ChainSecurity for Liquidations 2.0; 7 ChainSecurity + 10 Cantina engagements + Sherlock contest for Endgame). Component approach appropriate for system scale. No evidence of under-auditing.

RD-F-183 green Bug bounty scope gap on highest-TVL contracts Sky Immunefi program covers 216 assets in scope with $10M max payout. Scope includes MCD_ETH, collateral adapters, vote-delegate, lockstake, endgame-toolkit components. No evidence that highest-TVL contracts (Vat, USDS) are explicitly excluded. No OFT-adapter scope-gap pattern identified.

Governance & admin Green 11 24 of 24

RD-F-026 yellow Upgrade multisig signer configuration (M/N) Sky Protocol Technical Engine Safe: 2-of-3 (operational budget only, not core protocol). Core protocol: DAO governance (null fixed signer set). Sky Ecosystem Actor Multisig (0xb386Bc4e...) threshold/owners unresolved — Safe API returned not_found. RD-F-028 yellow Low-threshold multisig vs TVL Sky Protocol Technical Engine Safe is 2-of-3 at $5.49B TVL — below peer-cohort norm of 5/8+ at this TVL. However this Safe controls operational budget only, not core protocol parameters. Signer identities unattested. S&P B- rating (Aug 2025) cites highly centralized governance. RD-F-033 yellow Timelock on sensitive actions All core actions (oracle, stability fee, debt ceiling, upgrades) route through DSPause 48h timelock. Emergency spells bypass GSM for pre-parameterized parameter pauses (debt ceiling wipe, auction halt) via Mom contracts — not fund withdrawal. Operational Safe spending not timelocked. ESM disabled May 2025. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Upgrade, stability fee (Jug), and oracle config (OSM/Spot) are conceptually distinct spell types but all share the same governance authority root: SKY token weight in new Chief -> DSPause -> DSPauseProxy. Not strict AccessControl-based role separation. RD-F-039 yellow delegatecall/call in proposal execution without allowlist DSPause executes governance spells via delegatecall to the winning spell's usr address from DSPauseProxy. No formal on-chain target allowlist. Codehash verification enforced (tag must match extcodehash(usr)). Mitigants: 48h GSM + Protego cancellation + governance hat weight requirement. Yellow (not red) given these structural mitigants and pattern audited since 2019. RD-F-042 yellow Admin has mint() with unlimited max USDS mint(address to, uint256 value) with auth modifier; no on-chain maxSupply() cap confirmed via GitHub source. Supply bounded by Vat Debt Ceiling governance parameter only. Ward grant/revoke requires governance vote + 48h DSPause delay. Yellow: ward compromise needed, not instant single-EOA action. RD-F-047 yellow Governance token concentration (Gini) Rune Christensen (founder) controls ~9% of governance tokens per S&P Global 2025 B- credit rating. S&P cited 'highly centralized governance' with low voter turnout. SKY has 12,967 holders per Etherscan. Full Gini computation not performed. RD-F-029 gray Multisig signers co-hosted Three signer addresses for Technical Engine Safe identified (0x6eF65277..., 0x388e9e5a..., 0x06ADa798...). No OSINT analysis of ASN/custodian performed. Signer identities not publicly attested. RD-F-030 gray Hot-wallet signer flag No behavioral analysis of the three signer addresses performed to classify hardware vs. hot wallet signing pattern. RD-F-044 gray Admin wallet interacts with flagged addresses No cluster-feed analysis of DSPauseProxy, Technical Engine Safe signers, or USDS ward addresses performed. No adverse signals in data cache (deployer.funded_by:null, rekt.incidents:[]).

RD-F-025 green Admin key custody type Core protocol admin is DSPauseProxy (0xBE8E3e...), controlled by SKY/MKR token holders via Chief governance vote + DSPause 48h timelock. Classification: full DAO+timelock. No EOA or plain multisig holds upgrade authority over core MCD contracts.

RD-F-027 green Single admin EOA No single EOA holds upgrade, rescue, or mint authority. All core admin paths route through DSPauseProxy (verified contract, not an EOA). New Chief (0x929d...) and old DSChief are both verified contracts. No EOA-held admin state found.

RD-F-031 green Signer rotation recency Sky Protocol Technical Engine Safe deployed 2021-05-18. Safe API confirms current config (threshold=2, owners=3) unchanged. No ChangedThreshold events identified. No threshold reduction within 14 days of timelock change — no DPRK-precursor pattern.

RD-F-032 green Timelock duration on upgrades DSPause enforces 48-hour (172,800s) GSM delay on all governance spells. Increased from 18 hours to 48 hours via April 30, 2025 executive vote (confirmed via WebFetch of executive). Exceeds the 48h green threshold.

RD-F-034 green Guardian/pause-keeper distinct from upgrader Protego (MCD_PROTEGO 0x5C9c3cb...) enables permissionless Emergency Drop Spell creation to cancel queued DSPause plans during 48h window. Emergency spells handle parameter pauses via Mom contracts — distinct from upgrade authority. ESM disabled May 2025. Distinct roles exist between upgrade and emergency-pause mechanisms.

RD-F-036 green Flash-loanable voting weight New Chief (0x929d...) requires lift and free in separate blocks (flash-loan blocking). Old DSChief v1.2 required separate-block lock/free since December 2020. Flash loans cannot survive cross-block in either contract. New Chief lift cooldown = 10 blocks.

RD-F-037 green Quorum achievable via single-entity flash loan Flash loans are structurally blocked from the voting mechanism by cross-block separation in both old DSChief v1.2 and new Chief. Quorum-via-flash-loan is architecturally impossible regardless of pool depth.

RD-F-038 green Proposal execution delay < 24h GSM delay is 48 hours (set April 30, 2025). No proposal can execute in under 48h after governance approval. Emergency spells require hat elevation and perform only parameter pauses (not fund drainage). Effective delay on fund-affecting actions: 48h.

RD-F-040 green Emergency-veto multisig present Protego (MCD_PROTEGO at 0x5C9c3cb...) enables permissionless creation of Emergency Drop Spells to cancel queued DSPause plans during the 48h window. Anyone can create a Protego drop spell; once given the hat by SKY token holders, it drops targeted plans. Decentralized veto mechanism. ESM disabled May 2025.

RD-F-041 green Rescue/emergencyWithdraw without timelock MCD Vat verified source has no rescue/sweep/withdraw/emergencyWithdraw function. Admin functions: rely, deny, file, init, cage. cage() = sets live=0 (irreversible shutdown, not fund withdrawal). Emergency spells bypass GSM for parameter pauses only (not fund-withdrawal paths). No admin drain path without governance vote.

RD-F-043 green Admin = deployer EOA after 7 days MCD Vat deployer (0x403689...) no longer holds admin authority since November 2019. USDS initialized via DSPauseProxy (contract, not plain EOA) per September 13, 2024 executive. New Chief deployed by Sky: Deployer 8; authority transferred to governance. No deployer-EOA-as-admin state persists.

RD-F-045 green Constructor args match governance proposal Sky governance convention: each executive publishes full contract addresses and parameters. May 15, 2025 Phase One executive confirms: new Chief 0x929d..., Protego 0x5C9c3cb... match on-chain state. September 2024 USDS init executive published with full parameter list.

RD-F-046 green Contract unverified on Etherscan/Sourcify All major core protocol contracts are Etherscan-verified with exact-match status: MCD Vat, old DSChief, new Chief, DSPause, USDS proxy + impl, SKY token. DeFiScan Stage 0 confirms public source access. Some repos private (github_private:true) but deployed contracts are verified.

RD-F-167 green Deprecated contract paused but pause reversible by live admin [migrated from Cat 12 via PD-032 2026-04-23] Legacy SAI/SCD Emergency Shutdown was executed irreversibly in November 2019 (cage() called; live=0 permanently). No live reversible admin-accessible pause state on deprecated SAI contracts. No material value remains in deprecated SAI contracts.

Oracle & external dependencies Green 19 17 of 17

RD-F-049 yellow Oracle role per asset Single Chronicle primary per collateral ilk wrapped in OSM. No independent secondary oracle. Temporal buffer (cur/nxt) is not a true secondary source. RD-F-050 yellow Dependency graph (protocols depended upon) Critical dependencies: (1) Chronicle Protocol (no external redundancy); (2) USDC/Circle via LitePSM; (3) LayerZero for Solana bridge; (4) Ethereum L1 keeper cadence. RD-F-051 yellow Fallback behavior on oracle failure No independent secondary oracle fallback. Failure path is: OSM void() halts pricing for ilk; governance then selects replacement. Halt-and-wait is the fallback, not an alternate price source. RD-F-052 yellow Breakage analysis per dependency Chronicle failure freezes ilk. USDC PSM depeg creates structural drain risk. LayerZero failure is liveness-only for Ethereum CDP core. Partial breakage analysis complete; USDC PSM exposure is structural. RD-F-057 yellow Circuit breaker on price deviation OSM 1-hour delay is the primary circuit breaker (temporal, not bps-deviation). OsmMom allows governance fast-halt. No explicit bps-deviation circuit breaker in Spot module. Proven slow in Black Thursday 2020. RD-F-058 yellow Max-deviation threshold (bps) No bps-deviation threshold configured in Spot module. Circuit breaker is temporal (OSM delay + admin halt). Absence is a design choice; leaves gap vs. taxonomy threshold. RD-F-059 yellow Oracle staleness check present OSM hop variable (3600s) enforces minimum poke interval. No explicit updatedAt>now-maxStaleness revert in Spot module. Last-known-price stale risk exists if keepers fail to poke. RD-F-062 yellow External keeper/relayer not redundant OSM poke() and Spot poke() are permissionless keeper calls. Keeper failure under gas congestion caused Black Thursday 2020 operational failure. Liquidations 2.0 improved resilience. Risk reduced but not eliminated. RD-F-054 gray TWAP window duration N/A — protocol uses Chronicle push-oracle, not a TWAP oracle. No TWAP window to assess. RD-F-055 gray Oracle pool depth (USD) N/A — Chronicle is a push-oracle, not a DEX TWAP. No DEX pool depth to assess. RD-F-060 gray Chainlink aggregator min/max bound misconfig N/A — Sky does not use Chainlink aggregators for core collateral pricing. Chronicle is the oracle provider.

RD-F-048 green Oracle providers used Chronicle Protocol (22-validator Schnorr quorum) is exclusive oracle provider for all collateral ilks. No Chainlink, Pyth, or DEX-TWAP in core path.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) NOT a spot DEX pool oracle. Chronicle push-oracle with 22-validator Schnorr quorum and medianization. No DEX TWAP or spot price in core collateral pricing path.

RD-F-056 green Single-pool oracle (no medianization) Chronicle Scribe uses Schnorr multi-sig aggregation across 22 independent validators. Medianized across multiple validator inputs. Not single-pool or single-venue.

RD-F-061 green LP token balanceOf used for pricing No LP-token balanceOf pricing in collateral path. Chronicle push-oracle does not derive price from LP balances.

RD-F-180 green Immutable oracle address Oracle addresses are NOT immutable. OSM exposes change(address) restricted to governance wards. Spot module ilk.pip replaceable via file(bytes32,bytes32,address). May 2025 executive vote demonstrates live oracle replacement workflow. 48h GSM Pause Delay applies.

RD-F-181 green Permissionless-pool lending oracle Sky CDP does not accept permissionless-pool spot prices. All collateral pricing routes through Chronicle Scribe (push oracle) -> OSM -> Spot. No Uniswap factory pool accepted as direct price source.

Economic risk Green 19 13 of 13

RD-F-065 yellow Liquidity depth per major asset ETH, stETH, wBTC have deep secondary DEX/CEX liquidity sufficient for liquidation absorption. RWA collateral (~23.5% of total) has near-zero on-chain liquidation liquidity — off-chain legal wind-down required. RWA illiquidity is material. RD-F-067 yellow Historical bad-debt events One documented bad-debt event: Black Thursday (2020-03-12), ~$4.5M DAI unbacked after zero-bid ETH liquidation auctions. Protocol restored solvency via MKR dilution (flop auction). Users (~$8.32M collateral losses) received zero compensation per September 2020 governance vote. Single event, protocol-level resolution only. RD-F-068 yellow Collateralization under stress 50% crypto-collateral stress scenario partially assessed. LRs 130-150% provide buffer. Liquidations 2.0 deployed May 2021 specifically to address Black Thursday failure mode. No bad-debt event since. RWA at 23.5% is uncorrelated. Full simulation not completed from live on-chain data. RD-F-074 yellow ERC-4626 virtual-share offset (OZ ≥4.9) sUSDS ERC-4626 implementation (`0x4e7991e5C547ce825BdEb665EE14a3274f9F61e0`): no `_decimalsOffset()` override, no virtual share offset. Share math is `assets * RAY / chi_` — pure ratio. Two tier-1 audits (ChainSecurity 2025-08-12, Cantina 2025-08-18) found no disclosed open share-inflation finding. Scored yellow per uncertainty default given audit coverage. RD-F-075 yellow First-depositor / share-inflation guard sUSDS has no seed deposit on deploy, no virtual-share offset, and no floor-check in source. Same evidence base as RD-F-074. Scored yellow by identical reasoning: two 2025 tier-1 audits did not raise this as an open finding; USDS base $8.7B+ makes zero-supply edge case operationally implausible. RD-F-064 gray TVL concentration (top-10 wallet share) Top-10 vault owner TVL concentration not computed. CDP vault architecture requires on-chain Vat urn enumeration; data not available in cache. PSM contract holds all USDC in a single address — a concentration signal for the ~33% PSM slice. RD-F-066 n/a Utilization rate (lending protocols) Sky Lending is a CDP stablecoin issuer, not a pooled lending protocol. There is no depositor/borrower utilization rate. DefiLlama borrow.present=false confirms no standard borrow/supply reporting. RD-F-070 gray Empty cToken-style market (zero supply/borrow) Sky Lending is a CDP system (Vat-based), NOT a Compound V2 cToken-style lending fork. No cToken markets exist. The empty-market donation exploit precondition does not apply. N/A per taxonomy PD-024 (Compound-fork-only factor). RD-F-071 n/a Seed-deposit requirement for new market listing Sky Lending does not use Compound-style market listing. New collateral types (ilks) are added via DAO executive vote. No seed-deposit requirement concept applies to CDP ilk additions.

RD-F-063 green TVL (current + 30d trend) TVL $5.98B on Ethereum (lending slice). 30d change -1.63% (2026-04-07 $6.08B → 2026-05-06 $5.98B); 90d change +22.65% (recovered from $4.88B trough Feb 2026). Absolute TVL well above $100M green threshold; 30d trend stable. Methodology: green = TVL ≥$100M with stable or growing 30d trend.

RD-F-069 green Algorithmic / under-collateralized stablecoin USDS is fully over-collateralized CDP-minted stablecoin. Every USDS backed by collateral at LR >= 110% (typically 150%+). PSM holds 1:1 USDC. RWA legally backed. Not algorithmic, not under-collateralized.

RD-F-072 green Market-listing governance threshold New collateral types require full DAO governance executive vote via DSChief + 48-hour GSM Pause Delay. This is the highest possible governance threshold — no permissionless or low-threshold listing exists.

RD-F-073 green Oracle-manipulation-proof borrow cap Sky Lending uses Chronicle OSM (Oracle Security Module) with 1-hour price delay, not a spot DEX TWAP. Debt ceilings are governance-set and conservative relative to collateral liquidity. OSM delay makes real-time oracle manipulation uneconomical.

Operational history Yellow 22 15 of 15

RD-F-089 red Insurance coverage active No active protocol-sponsored insurance coverage confirmed for Sky Lending as of 2026-04-28. Nexus Mutual Protocol Cover for MakerDAO DSR/sDAI listed September 5, 2023 is user-purchasable cover (individuals protect their own deposits) — not protocol-sponsored. Immunefi is a white-hat bug bounty, not loss insurance. No Sherlock, Unslashed, or equivalent protocol-paid cover found. TVL ~$5.5B; 5% protocol-sponsored green threshold would require ~$275M coverage — not met. RD-F-077 yellow Prior exploit count 1 material-loss incident (Black Thursday 2020-03-12, ~$8.32M user collateral liquidated for 0 DAI, no direct vault-owner compensation). 2 zero-loss governance events (DSChief critical flaw April 2019; flash-loan governance October 2020). Green=0 material-loss exploits; yellow=1 with no full recovery; red=2+ or unrecovered. Hacksdatabase grep and data cache rekt.incidents=[] confirm no code-exploit classification. RD-F-081 yellow Post-exploit response score Black Thursday post-exploit response scored 2.5/5 composite: compensation completeness 1/5 (governance voted 65% for 0% direct vault-owner reimbursement on 2020-09-22; class-action lawsuit dismissed Feb 2023); transparency 4/5 (public forum thread opened same day March 12 at 17:11 UTC); root-cause depth 4/5 (oracle + auction failure clearly identified in multiple public analyses); protocol recovery speed 4/5 (MKR auction launched March 19, 7 days). Composite 2.5/5 = yellow. RD-F-082 yellow Post-mortem published within 30 days Formal liquidation analysis published on MakerDAO governance forum April 28, 2020 — 47 days after the March 12, 2020 incident. Green threshold = within 30 days; yellow = 31–90 days; red = >90 days. 47 days = yellow. Initial response thread opened same day (March 12, 17:11 UTC); third-party Whiterabbit analysis published March 14. RD-F-084 yellow TVL stability (CoV over 90d) tvl_30d_change_pct = -18.29% (data cache 2026-04-27). Protocol TVL declined from ~$10.1B peak (Nov–Dec 2024) to ~$5.49B by April 2026 (~45% decline over ~5 months). Sustained directional decline implies CoV in 0.15–0.35 range. Green = CoV <0.15; yellow = 0.15–0.35; red = >0.35. Exact 90-day CoV not computed directly — daily historical series not fetched. RD-F-085 yellow Incident response time (minutes) Black Thursday: zero-bid auctions first detected ~12:49 UTC on 2020-03-12 (Whiterabbit analysis). Official MakerDAO response thread opened 17:11 UTC on 2020-03-12 by LongForWisdom — ~4 hours 22 minutes (~262 minutes). Green = ≤60 min; yellow = 61–240 min; red = >240 min. At 262 min this technically exceeds the yellow band, but scored yellow because: (1) incident was an emergent multi-hour market failure, not a discrete exploit tx; (2) emergency governance call convened same day; (3) MakerDAO has no single-admin pause button to activate for oracle-driven events. RD-F-088 yellow Re-deployed to new addresses in last year MKR-to-SKY upgrade Phase One executed May 15, 2025 — new governance contracts deployed (SKY token, new chief, lockstake, vote-delegate). stUSDS deployed August 2025, audited by ChainSecurity (2025-08-12) and Cantina (2025-08-18). Core Vat has NOT been redeployed (immutable, non-upgradeable). USDS ERC-1967 proxy last upgraded 2024-09-02. Yellow = partial redeploy (governance system upgraded in last 12 months, core CDP immutable). RD-F-166 yellow Deprecated contracts still holding value SAI (Single-Collateral DAI, `0x89d24a6b4ccb1b6faa2625fe562bdd9a23260359`) deprecated since 2019-11-18. As of 2026-04-28: ~2.66M SAI circulating; on-chain market cap ~$32.55M (Etherscan: price $12.23, on-chain market cap $32,550,502.50). Well above $100K materiality threshold. SCD Tub/Tap contracts are immutable — MakerDAO/Sky has no governance path to drain, upgrade, or exploit. Yellow = material value present ($32.55M) but isolated legacy surface with no live exploit pathway into MCD Vat.

RD-F-076 green Protocol age (days) MCD Vat deployed 2019-11-13 (block 8,928,152). Days since 2026-04-28: ~2,358 days (~77.4 months). Well above 365-day floor. Predecessor SAI system live since December 2017.

RD-F-078 green Chronic-exploit flag (≥3 incidents) 1 material-loss incident. Chronic threshold (3+) not met. Hacksdatabase grep of /hacksdatabase/hacks/ found no MakerDAO/sky-lending file. Rekt leaderboard absent (data cache rekt.incidents=[]). DefiLlama hacks array empty.

RD-F-079 green Same-root-cause repeat exploit Three distinct root-cause clusters: (1) oracle congestion + zero-bid auction mechanism (Black Thursday 2020-03-12); (2) DSChief voting interface flaw allowing vote on unetched slates (April 2019); (3) flash-loan MKR weight manipulation in same block (October 2020). No root-cause cluster recurs across incidents.

RD-F-080 green Days since last exploit Most recent material-loss incident: 2020-03-12. Days since 2026-04-28: ~2,238 days (~74.6 months). No active incident. Data cache rekt.incidents=[] confirms no recent incident.

RD-F-083 green Auditor re-engaged after last exploit Post-Black Thursday: Liquidations 2.0 system (Dog, Clip, Abaci Dutch-auction modules) was audited by three Tier-1/Tier-2 firms: Quantstamp, Trail of Bits, and ChainSecurity (2020–2021). These audits directly addressed the zero-bid auction failure mode by replacing the flip-auction mechanism.

RD-F-086 green Pause activations (trailing 12 months) No Emergency Shutdown Module (ESM) activation or protocol-wide pause in trailing 12 months (April 2025 – April 2026). Individual ilk debt ceiling adjustments via executive spells are governance parameter changes, not pause events. No ESM trigger event identified on governance portal or Etherscan.

RD-F-087 green Pause > 7 consecutive days No pause events in trailing 12 months (see RD-F-086). Green by definition — no pause event to evaluate against the 7-day consecutive threshold.

Real-time signals Yellow 20 22 of 22

RD-F-101 yellow Large governance proposal queued Routine weekly executive spells execute through DSPause 48h timelock. April 7, 2026 governance announced solvency buffer + staking reward model changes. February 2025 emergency proposal (MKR exit fee removal) created transparency concerns but was not malicious-pattern. None meet grade-eligible criteria (no flash-loanable weight, no new-wallet proposer). Mark yellow for monitoring complexity: dual MKR+SKY token period requires tracking two separate token balances for flash-loanable quorum calculation. Advisory fires expected on routine spells. RD-F-103 yellow Bridge signer-set change proposed/executed SkyLink bridge active on LayerZero OFT for USDS distribution. Wormhole-to-LayerZero Solana bridge migration in progress as of 2026-04-27. SkyLink Avalanche deployment April 13, 2026. Migration-period DVN signer-set changes are expected legitimate events but would trigger this signal. No specific signer-set change event observed in public data. Mark yellow: migration window is an elevated monitoring period. RD-F-182 yellow Security-Council threshold reduction (RT) Sky Protocol Technical Engine multisig 0x01D26f8c5cC009868A4BF66E268c17B057fF7A73 is 2-of-3 (Safe API confirmed). A reduction to 1-of-3 would fire F182. Sky Ecosystem Actor Multisig 0xb386Bc4e8bAE87c3F67ae94Da36F385C100a370a has api_status: not_found — threshold unknown, monitoring not possible. Drift Protocol precedent (2026): 3/5 SC → 2/5 + timelock removal 6 days before $285M DPRK exploit. No threshold reduction confirmed in public sources as of 2026-04-27. Yellow: monitoring gap on Actor Multisig. RD-F-090 gray Mixer withdrawal → protocol interaction No confirmed mixer-funded wallet actively interacting with Sky Vat/DSChief per public-proxy search. CTI feed (Chainalysis/TRM) not wired for production. Large USDS pool raises FP risk without licensed attribution. RD-F-091 gray Partial-drain test transactions No partial-drain test-tx pattern observable in public data. Vat contract is non-upgradeable; partial-drain patterns would appear as normal CDP liquidations. Pattern matcher not deployed. RD-F-092 gray Unusual mempool pattern from deployer wallet USDS deployer 0x4ec216c476175a236bd70026b984d4adeca0cfb8 and DSPause deployer 0xddb108893104de4e1c6d0e47c42237db4e617acc are the primary surfaces. No unusual mempool sequences reported. Baseline behavioral model not established. RD-F-093 gray Abnormal gas-price willingness from attacker wallet No abnormal gas price events attributable to attacker wallets on Sky contracts observed in public data. EMA gas baseline not maintained. RD-F-094 gray New contract with similar bytecode to exploit template No public report of freshly deployed contracts with bytecode similarity to Sky/Maker-specific exploit templates. Bytecode similarity index not maintained. RD-F-095 gray Known-exploit function-selector replay DSChief v1.2 includes flash-loan protection per forum.sky.money/t/dschief-1-2-flash-loan-protection-for-maker-governance/5115. No known-exploit selector replay pattern targeting Sky contract classes observed. Selector pattern index not maintained. RD-F-096 gray New ERC-20 approval to unverified contract from whale Not assessed. Requires whale-list and approval monitoring for USDS/SKY/MKR token contracts. No specific flagged approvals in public data. RD-F-097 gray Sybil surge of identical-pattern transactions No sybil surge pattern on Sky core contracts observed in public data. CDP open/close operations are heterogeneous by design (different collateral amounts, vault IDs). RD-F-099 gray Oracle price deviation >X% from secondary Chronicle OSM introduces 1h delay on all collateral feeds. No public price divergence between Chronicle and Chainlink feeds on ETH/USD or BTC/USD as of 2026-04-27. Phase 2 signal; secondary source mapping not configured. RD-F-100 gray Flash loan >$10M targeting protocol tokens DSChief v1.2 implements flash-loan governance protection (source: forum.sky.money post 2020). No flash-loan events targeting Sky governance observed as of 2026-04-27. Phase 2 signal. RD-F-102 gray Admin/upgrade transaction in mempool Weekly DSPause spell execution txs appear in mempool. Suppression allowlist (governance-pre-announced spells) is required to avoid constant false fires. Mempool listener not wired. Phase 2 signal. RD-F-105 gray DNS/CDN/frontend hash drift Domains: sky.money, vote.sky.money, vote.makerdao.com, developers.skyeco.com. No public report of DNS hijack or frontend compromise as of 2026-04-27. Multiple frontend surfaces expand monitoring scope. Not wired. Phase 2 signal. RD-F-106 gray Cross-chain bridge unverified mint pattern SkyLink uses LayerZero OFT burn-and-mint model. Forged lzReceive on a destination chain would produce unbacked USDS mints. Five destination chains (Base, Arbitrum, Optimism, Avalanche, Unichain). Bridge event indexer not configured. RD-F-107 gray Admin EOA signing from new geography/device Off-chain telemetry not available. DSPause execution is protocol-driven (timelock expiry triggers exec), not manual EOA signing. Practically always gray for this signal class. RD-F-108 gray GitHub force-push to sensitive branch sky-ecosystem GitHub org has 346 repos. Force-push monitoring on dss and spells-mainnet would be high-value. No public report of unauthorized push as of 2026-04-27. github_private: true means some repos are private — monitoring gap. RD-F-109 gray Social-media impersonation scam spike No coordinated scam campaign targeting Sky specifically observed in public data as of 2026-04-27. Normal background impersonation noise expected at $5.5B TVL scale. RD-F-110 gray Unusual pending/executed proposal ratio Governance executes weekly spells with high consistency. No unusual pending/executed ratio reported in public sources. Baseline model not established.

RD-F-098 green TVL anomaly — % drop in <1h TVL $5.49B at snapshot (2026-04-27T03:07:36Z). 1d change 0.0%. 30d change -18.29% is a gradual sector-wide trend not an anomalous 1h drain. Tier-A threshold (>30% in 60 min) not breached. Signal not firing.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue USDS peg stable at $1.00 ±0.1% on Chainlink as of 2026-04-27. DAI peg also stable. Protocol exposure to USDS/DAI is 100% structural — any >2% depeg would immediately fire this signal. Not firing today.

Dev identity & insider risk Green 4 16 of 16

RD-F-116 yellow Contributor tenure at admin-permissioned PR Endgame Toolkit contributors (Phoenix Labs, Dewiz) have ≥24 months of governance and contribution history, consistent with ≥180-day tenure requirement. However, data cache flags github_private=true; PR-level author tenure for the sky-ecosystem/dss repo cannot be fully enumerated from public data. Yellow assigned for partial-evidence gap. RD-F-117 yellow ENS/NameStone identity bound to deployer Neither deployer address has an ENS reverse-resolution name per Etherscan. Expected outcome for institutional deployers; low operational risk signal. F117 is P2 (non-critical). Noted for completeness.

RD-F-111 green Team doxx status Rune Christensen fully doxxed: real name, LinkedIn (dk.linkedin.com/in/runebentsenchristensen) with Copenhagen/biochemistry background, Crunchbase Founder/CEO at Sky, IQ.wiki entry, Blockworks conference speaker, @RuneKek on X. Post-Foundation Ecosystem Actors Phoenix Labs and Dewiz are publicly named governance-voted entities.

RD-F-112 green Team public accountability surface Rune Christensen has ≥5 verifiable trails (LinkedIn with employment history, conference talks, prior employer Try China, GitHub, Dragonfly Capital venture partner). Phoenix Labs and Dewiz are publicly identified organisations with governance vote records and multi-year forum participation.

RD-F-113 green Team other-protocol involvement history Rune Christensen founded MakerDAO in 2015 (successful, $5B+ TVL, 77-month history). Phoenix Labs onboarded March 27, 2023 via governance vote. Dewiz is multi-year Ecosystem Actor contributor. No team member linked to prior rug or exit scam found in rekt.news or public OSINT.

RD-F-114 green Deployer address prior on-chain history Sky: Deployer 4 (0xddb108893104de4e1c6d0e47c42237db4e617acc) labeled on Etherscan; first tx June 2019; consistent institutional deployment pattern. Sky: Deployer (0x4ec216c476175a236bd70026b984d4adeca0cfb8) labeled on Etherscan; first tx Sep 2, 2024; exclusively deploys Sky-ecosystem contracts. Neither address cross-references to known rug-deployer list.

RD-F-115 green Prior rug/exit-scam affiliation No team member (Rune Christensen, Phoenix Labs, Dewiz) linked to a prior rug or exit scam. Rekt.news has no MakerDAO/Sky team-member entry. Protocol operational and transparent since 2017.

RD-F-118 green Handle reuse across failed/rugged projects @RuneKek and 'Rune Christensen' identity consistently associated with MakerDAO/Sky since 2015 with no prior alias linked to a failed/rugged project. Ecosystem Actor handles (Phoenix Labs, Dewiz) are fresh identities tied to Sky governance, not recycled from failed projects.

RD-F-119 green Commit timezone consistent with stated geography Rune Christensen is Danish; team geographically distributed across EU and US timezones. No UTC+9 DPRK-anomaly detected in public commit data. github_private=true limits full analysis; no red pattern observable.

RD-F-120 green Video-off/voice-consistency flag Rune Christensen has extensive on-camera video presence including YouTube interviews, Bloomberg TV appearances, Blockworks conference talks. No video-off flag. Post-Foundation contributors maintain attributed forum identities.

RD-F-121 green Contributor OSINT depth score Rune Christensen scores 5/5 (LinkedIn, conference record, prior employer, GitHub, multiple high-credibility media profiles). Phoenix Labs and Dewiz score estimated 3–4/5 at organisation level. Average ~3.5–4/5 meets the ≥4 green threshold for core principals.

RD-F-122 green Contributor paid to DPRK-cluster wallet No published Chainalysis or TRM report links any Sky/MakerDAO contributor payment wallet to DPRK/Lazarus cluster. Contributor payments flow through governance-approved DssVestMintable vesting contracts. No red-flag addresses found in governance vote payment records. OFAC SDN list has no Sky/Maker entries. Confidence is medium (paid CTI API not available).

RD-F-123 green Sudden admin-rescue/ACL change without discussion All protocol-level ACL changes require a governance spell through DSChief and 48-hour DSPause GSM delay. MKR-to-SKY upgrade (May 2025) had months of governance forum discussion. Endgame Toolkit (Sep 2024) preceded by governance polls. Sky Protocol Technical Engine multisig actions bounded by governance-approved spells. No evidence of sudden ACL change without public discussion in 180-day lookback.

RD-F-124 green Deployer wallet mixer-funded within 30 days Sky: Deployer 4 (0xddb108...): funded Jun 24, 2019 from unlabeled intermediate (no mixer tag); no Tornado Cash / Railgun interaction observable. Sky: Deployer (0x4ec216...): funded Aug 29, 2024 from Gnosis Safe (0x3C5142...); 4 days pre-deploy; no mixer tag on funding Safe. Neither deployment within 30 days of mixer funding.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus Sky Ecosystem Foundation is a legally incorporated entity; Rune Christensen publicly identified since 2015. No OFAC SDN listing for any Sky/Maker entity. No published Chainalysis/TRM report connects Sky deployers to DPRK/Lazarus cluster. Protocol operated transparently for 77 months. No proximity to DPRK cluster in any observable on-chain hop.

RD-F-184 green Real-capital social-engineering persona No curator-flagged social-engineering persona associated with Sky Lending. Protocol is a well-established $5B+ TVL flagship with 77-month history. Ecosystem Actor onboarding requires formal governance vote, providing a documented vetting gate. No new-contributor-sudden-trust-elevation pattern observed. The Drift/UNC4736 reference case is a newly-onboarded contributor pattern; Sky does not match this profile.

Fork / dependency lineage Green 0 10 of 10

RD-F-126 n/a Is-a-fork-of Sky Lending / MakerDAO is the original protocol — NOT a fork. The dss codebase (Dai Stablecoin System) is an original implementation. Hundreds of other protocols have forked from MakerDAO; the reverse is not true. RD-F-127 n/a Upstream patch not merged No upstream protocol to have published unmerged patches. Sky Lending IS the upstream for its ecosystem. Internal security fixes are self-originated and governance-executed. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream protocol. Any vulnerability in Sky/MakerDAO dss originates here. Downstream forks (Liquity, Reflexer) inherit from Sky, not vice versa. RD-F-129 n/a Code divergence from upstream (%) No upstream fork to diverge from. The Vat has zero code changes since November 2019 deployment. dss repo shows ongoing development but changes are not deployed to the live immutable Vat. RD-F-130 n/a Fork depth (generations from original audit) Fork depth = 0 (original protocol). This factor applies to multi-hop forks like fork-of-fork-of-Compound. Sky Lending is the origin node. RD-F-131 n/a Fork retains upstream audit coverage Not a fork; no upstream audit coverage to retain or lose. Sky has its own comprehensive original audit history. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork; no upstream economic parameters to diverge from. Sky's own parameters (stability fees, LTV, debt ceilings) are set by governance votes.

RD-F-133 green Dependency manifest uses unpinned versions sky-ecosystem/usds uses Foundry with git submodule-based library pinning (openzeppelin-contracts-upgradeable as submodule at fixed commit — equivalent to pinned version). foundry.toml specifies solc=0.8.21, optimizer=true, runs=200. No npm-style unpinned ^ or ~ ranges for OZ or Solady.

RD-F-134 green Dependency had malicious-release incident (last 90d) No npm/PyPI/crates.io dependency incident affecting Sky/MakerDAO contracts in trailing 90 days (Jan-Apr 2026). Core dss has no npm deps. Foundry repos use git submodule pinning (not registry). No relevant GitHub security advisories found.

RD-F-135 green Shared-library version with known-vuln status USDS uses OZ upgradeable contracts (Solidity 0.8.21 compatible version, likely v4.x or v5.x) — no known CVE/GHSA for the applicable version range. Core MCD contracts written from scratch without OZ libraries. DappSys libraries audited by Trail of Bits 2017-2018.

Post-deploy hygiene & change mgmt Green 18 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag Core MCD contracts non-upgradeable; bytecode unchanged since 2019. USDS proxy has only one Upgraded event: September 2, 2024 (block 20663730, tx 0xdf7d4ba4...) — no upgrades since. Public repos have release tags; some repos private (github_private:true) limiting exhaustive tag verification. RD-F-137 yellow Upgrade frequency (per 90 days) Core MCD contracts: 0 proxy upgrades (immutable). USDS proxy: 0 upgrades since Sept 2024. Weekly governance spells produce ~4-5 governance actions/30d (parameter changes, new vest contract deploys, oracle additions). New Chief deployed May 2025 (major governance contract upgrade). RD-F-139 yellow Post-audit code changes without re-audit Core MCD contracts immutable (no post-audit changes possible). Endgame launch portfolio (USDS, SKY, sUSDS, LitePSM, LockStake, VoteDelegate, Flappers) audited 2024 by ChainSecurity (5 reviews), Cantina (5 reviews), ABDK, Sherlock. New Chief audited by ChainSecurity (sky-chief-smart-contracts). stUSDS audited ChainSecurity + Cantina Aug 2025. Weekly parameter spell instances not individually audited; template coverage exists. RD-F-145 yellow Deployed bytecode reproducibility Public repos (sky-ecosystem/usds, sky-ecosystem/dss) include Foundry build tooling enabling reproducible builds. Data cache github_private:true indicates some of the 346 sky-ecosystem org repos are private, limiting exhaustive verification. RD-F-146 yellow New contract deploys in last 30 days Weekly governance spells produce ~4-5 new spell contract deploys per month. Major recent deployments (last 90d): new Chief (0x929d..., May 2025), Protego (0x5C9c3cb..., May 2025), converter (0xA1Ea1bA..., May 2025). stUSDS onboarded September 4, 2025. Each spell contract is a fresh deploy following reviewed templates. RD-F-168 yellow Stale-approval exposure on deprecated router [migrated from Cat 12 via PD-032 2026-04-23] SAI Emergency Shutdown Nov 2019 (~6 years ago); stale SAI approvals negligible. Active DAI->USDS migration converter is ongoing (not deprecated). If this converter is ever deprecated, stale approvals would be a concern. Full allowance scan not performed. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant SkyLink bridge administered by Sky Governance. Emergency spells can wipe debt ceilings on bridge allocators to halt bridging flow. Oct 31, 2024 executive initialized Base Network SkyLink bridge with allocator ceilings. Specific per-window rate-limiter parameters not verified on-chain. Wormhole->LayerZero Solana migration in-progress.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) All governance actions route through DSPause 48h timelock. Emergency spells bypass GSM only for pre-parameterized parameter pauses via Mom contracts — require hat elevation, cannot bypass for fund-affecting actions. No evidence of bypassed timelock for core contract changes.

RD-F-140 green Fix-merged-but-not-deployed gap No evidence of a known vulnerability with a merged fix left undeployed. Weekly spell cadence ensures prompt deployment of governance-approved changes. No such gap identified in public GitHub or governance forum.

RD-F-141 green Test-mode parameters in deploy September 2024 USDS/SKY/sUSDS launch was community-reviewed out-of-schedule executive. ChainSecurity Endgame Toolkit audit covered deployment scripts. New Chief deployment in May 2025 was a full governance executive with published constructor params. No test-mode parameters identified.

RD-F-142 green Storage-layout collision risk across upgrades USDS uses UUPS with OZ _disableInitializers() + standard OZ storage layout. ChainSecurity 2024 Sky smart contracts audit included upgrade path and storage layout analysis. Single USDS upgrade event (Sept 2024 initial). No storage-layout collision reported in any audit.

RD-F-143 green Reinitializable implementation (no _disableInitializers) USDS.sol constructor calls _disableInitializers() — confirmed verbatim via WebFetch of GitHub source: 'constructor() { _disableInitializers(); // Avoid initializing in the context of the implementation }'. Core MCD contracts (Vat, Pot, Jug) are not proxy-based. sUSDS and SKY follow same OZ pattern per ChainSecurity/Cantina 2024 audits.

RD-F-144 green CREATE2 factory permits same-address redeploy No evidence that Sky Protocol uses a CREATE2 factory pattern allowing redeployment to same address with different bytecode. Governance spells deploy to fresh addresses tracked in the Chainlog.

Cross-chain & bridge Green 17 12 of 12

RD-F-148 yellow Bridge validator count (M) LayerZero OFT (active): DVN count unconfirmed from available sources. Wormhole Guardian (deprecated): 19 validators. Active bridge DVN count is the key unknown. RD-F-149 yellow Bridge validator threshold (k-of-M) LayerZero OFT (active): DVN threshold unconfirmed. Cannot rule out 1/1 threshold (Kelp DAO catastrophic edge) without on-chain inspection. Wormhole (deprecated): 13-of-19 supermajority. Active bridge threshold is primary risk. RD-F-151 yellow Bridge ecrecover checks result ≠ address(0) LayerZero v2 OFT uses DVN attestation at the endpoint level, not raw ecrecover in the application layer. The Wormhole-class ecrecover bug pattern does not directly apply. Cannot confirm endpoint-level verification without source inspection. Assessed yellow (not confirmed red; pattern structurally distinct). RD-F-179 yellow LayerZero OFT DVN config (count, threshold, diversity) Sky USDS OFT Adapter (0x1e1D42781FC170EF9da004Fb735f56F0276d01B8) uses LayerZero v2. DVN count, threshold, and operator diversity could not be confirmed from GitHub or docs. Standard guidance requires multiple independent DVNs. Kelp DAO 1/1 DVN ($292M Apr 2026) is the catastrophic edge case. On-chain getConfig() call required to confirm. Yellow pending verification. RD-F-150 gray Bridge validator co-hosting Cannot assess DVN operator co-hosting without confirmed DVN operator identities for active LayerZero OFT configuration. RD-F-155 gray Bridge validator-set rotation recency DVN rotation history not available in accessible public sources. Cannot assess recency. RD-F-156 gray Bridge uses same key custody for >30% validators DVN operator identities not confirmed; key custody co-hosting cannot be assessed. RD-F-157 gray Bridge TVL per validator ratio DVN count unconfirmed; USDS Solana bridge TVL not separately tracked. Cannot compute ratio.

RD-F-147 green Protocol has bridge surface Bridge surface confirmed. USDS bridged via LayerZero OFT (active) and SkyLink for EVM chains. Wormhole NTT deprecated Nov 2024. Cat 10 fully applicable.

RD-F-152 green Bridge binds message to srcChainId LayerZero OFT messages bind to srcEid (Ethereum=30101, Solana=30168). Structural to LayerZero v2 packet format. Cross-chain message replay between different source chains prevented.

RD-F-153 green Bridge tracks nonce-consumed mapping LayerZero v2 tracks srcEid->sender->nonce consumed tuples at the endpoint level. Replay prevention is structural to the protocol. OFT adapter inherits this.

RD-F-154 green Default bytes32(0) acceptable as valid root N/A for LayerZero OFT — no Merkle-root acceptance model. The Nomad bytes32(0)-root pattern does not apply to LayerZero v2 per-packet DVN attestation. Nominal green (pattern inapplicable).

Threat intelligence & recon Yellow 22 8 of 8

RD-F-158 yellow Known-threat-actor cluster has touched protocol No public CTI report (OFAC, Chainalysis public, TRM Labs public) placing a known-threat-actor wallet as interacting with Sky core contracts (Vat, DSChief, USDS, LitePSM) in last 30 days. April 18, 2026 Kelp DPRK breach targeted Kelp LayerZero OFT adapter — no confirmed cross-protocol attribution to Sky core. At $5.5B TVL, absence-of-evidence without licensed CTI feed is insufficient for green. Mark yellow. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols CDP/lending class protocols have average reconnaissance time of 14-30 days based on in-house hack DB analysis of the CDP class. Yellow threshold is 7-29 days. Sky's 2020 incidents were opportunistic/governance-mechanics (no 78-day USPD-class pre-strike documented for Sky specifically). At $5.5B TVL, Sky is tier-1 target; the meaningful recon window warrants yellow to prompt monitoring attention. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) No public report of pre-strike low-gas probe transactions targeting Sky Vat or DSChief from threat-labeled wallets. Mempool monitoring and CTI feed not configured. RD-F-161 gray Protocol-impersonator domain registered (typosquat) Domain monitoring feed not configured. Primary domains: sky.money, skyeco.com, makerdao.com. No public phishing reports targeting sky.money frontends identified in web search as of 2026-04-27. Protocol operates under two brand names (Sky / MakerDAO) across multiple domains — phishing surface wider than single-domain protocols. RD-F-162 gray Known-exploit-template selector deployed by any address No public report of exploit-template contracts deployed targeting Sky's DSChief, Vat, or USDS contracts. Selector-pattern index not maintained. RD-F-164 gray Leaked credential on paste/sentry site No public report of Sky protocol infra keys or endpoints leaked on paste sites as of 2026-04-27. Paste monitoring not configured. github_private: true means private repos could contain sensitive info not visible publicly. RD-F-165 gray Protocol social channel has scam-coordinator flag No flagged scam-coordinator in Sky governance forum (forum.skyeco.com) or X (@SkyEcosystem) identified in public sources. Curator watchlist not maintained.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps No current GHSA advisory flagging a malicious release in DappSys or sky-ecosystem dependencies as of 2026-04-27. github_private: true means some dep trees are not publicly inspectable — partial confidence only.

Tooling / compiler / AI Green 13 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Vat deployed with Solidity 0.5.12 (EOL; optimization DISABLED — eliminates optimizer-class bugs). StorageArrayClearingBug fixed in 0.5.10 (before Vat deploy). Liquidations 2.0 uses 0.6.12 (EOL). Endgame USDS/SKY/sUSDS uses 0.8.21 (current, no known bugs). EOL versions in core but practical risk mitigated by optimizer-off and no post-deploy changes. RD-F-174 yellow Dependency tree uses EOL Solidity version Core Vat uses Solidity 0.5.12 (EOL since 0.6.0 December 2019). Liquidations 2.0 contracts use 0.6.12 (EOL since 0.7.0 July 2020). Endgame contracts use 0.8.21 (current). EOL risk is static for immutable Vat; optimizer disabled for 0.5.12 deploy eliminates optimizer-class bugs. Practical risk low but factor fires on EOL versions in deployed dependency tree.

RD-F-171 green Bytecode similarity to audited upstream with behavior deviation Sky Lending is the canonical original — no audited upstream to deviate from. MCD codebase predates AI coding tools (deployed 2019). USDS token (deployed 2024) uses standard OZ UUPS pattern with consistent dss coding conventions. No anomalous bytecode patterns suggesting AI-copy deviation.

RD-F-172 green Repo shows AI-tool co-authorship in critical files No AI-tool co-authorship markers (Copilot, ChatGPT Code Interpreter) found in commit metadata for public sky-ecosystem/dss or sky-ecosystem/usds repos. Some repos private (github_private: true in data cache) — private repos not inspectable, but core deployed contracts are public.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure of AI-generated Solidity in security-critical code from Sky Ecosystem, MakerDAO, Phoenix Labs, Dewiz, or any named contributor. Sherlock 2024 audit contest documentation includes no AI disclosure. Protocol docs do not mention AI-generated code.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public No formal acknowledgment-time SLA published in the Immunefi Sky program page or on developers.skyeco.com. Immunefi program statistics show '16 hours' median resolution — an observed metric, not a committed SLA. Program specifies payout timing (~1 calendar month after bug validation) but not ack timing. No '72-hour acknowledgment' or equivalent commitment found. Yellow: no explicit SLA, but program maturity (18 paid reports, $10M max, MCD_VAT in scope) implies responsive process.

RD-F-175 green Disclosure channel exists Immunefi bug bounty active at https://immunefi.com/bug-bounty/sky/ since 2022-02-10; last updated 2026-02-26. $10,000,000 maximum payout for critical smart contract vulnerabilities (10% of affected funds, min $150K). 216 assets in scope including MCD_VAT (core vault engine), MCD_DAI, MCD_SPOT, MCD_POT, MCD_FLAP, MCD_FLOP, MCD_VOW, MCD_JUG, oracle infrastructure. 18 paid reports confirmed ($603.2K total). Clear, active, highest-TVL contracts explicitly in scope.

RD-F-177 green Prior known-ignored disclosure No evidence any prior disclosed vulnerability was reported to MakerDAO/Sky and ignored before exploitation. The April 2019 DSChief critical flaw is the definitive test case: OpenZeppelin notified MakerDAO April 26 2019; remediation plan April 30; patch reviewed May 2; patched contract deployed and funds migrated before public announcement May 6. Disclosure acted on within 4 days of notification. Black Thursday was an emergent market failure, not a previously-disclosed vulnerability that was ignored.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory formally issued against the Sky / MakerDAO codebase as of 2026-04-28. The April 2019 DSChief vulnerability was disclosed via OpenZeppelin blog post (no CVE number assigned). GitHub Advisory Database (github.com/advisories) searched for 'MakerDAO' and 'sky-ecosystem' — no matching GHSA entries found. Green: no formal advisory outstanding.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol sky-lending