Skip to content

docs(sky): add USDS & sUSDS risk assessment#204

Draft
spalen0 wants to merge 4 commits into
masterfrom
usds
Draft

docs(sky): add USDS & sUSDS risk assessment#204
spalen0 wants to merge 4 commits into
masterfrom
usds

Conversation

@spalen0

@spalen0 spalen0 commented May 20, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Summary

Closes #203.

Adds a risk assessment for Sky USDS and sUSDS on Ethereum. Final score: 1.4 / 5.0 — Minimal Risk (well inside the 1.0–1.5 band; matches the yvUSDS-1 reference at 1.3).

  • USDS issuance, the USDC↔USDS LitePSM Wrapper (WRAPPER_USDS_LITE_PSM_USDC_A), and the sUSDS savings vault are fully mapped end-to-end with addresses pulled live from the Sky chainlog.
  • All key onchain values verified at block 25137266 (May 20, 2026): USDS supply ~$8.07B mainnet, sUSDS chi 1.0971, SSR ~3.65% APY, USDC Pocket reserves $3.80B, MCD_PAUSE delay 48 h, LitePSM tin = tout = 0.
  • Focus per the issue: depositing/swapping USDC into USDS and sUSDS. The PSM wrapper is atomic, zero-fee, and backed by ~$3.80B USDC — exit capacity dwarfs any realistic Yearn integration size.

Final score breakdown

Category Score Weight Weighted
Audits & Historical 1.3 20% 0.260
Centralization & Control 1.2 30% 0.360
Funds Management 1.8 30% 0.540
Liquidity Risk 1.0 15% 0.150
Operational Risk 1.0 5% 0.050
Final 1.36 → 1.4 / 5.0

The residual risk is driven mostly by Cat 3 Funds Management (1.8), reflecting the offchain-custody RWA component of system backing — RWA values onchain are governance-attested via PIP_RWA* oracles rather than market-priced.

Resolved TODOs (commit 3c159cc)

  • Skybase International jurisdiction → Cayman Islands (governing law Cayman; arbitration seat George Town, Grand Cayman, per Sky Terms of Use).
  • LITE_PSM_MOM.halt(...) has never been invoked — full Etherscan log scan of 0x467b…b425 returns 4 events total (2× SetOwner, 2× SetAuthority from deployment).
  • DEX liquidity quantified from DefiLlama — top direct USDS pool is Curve PYUSD-USDS at ~$100M; no significant USDS-USDC DEX pool because the zero-fee PSM dominates exit routing.
  • SKY voter concentration (aggregate) — hat has 6,523,143,752 SKY approvals (~92.9% of locked SKY in Chief; ~27.8% of total SKY supply).
  • LlamaRisk coverage — the current llamarisk.com/research index has no post-rebrand Sky/USDS asset assessment.

Reviewer findings + score recalibration

Round 1 (commit c5b60f3) — reviewer findings:

  • Header score inconsistency (1.3 vs 1.4) corrected.
  • "Issued only through two" overview reworded to "two permissionless user-facing 1:1 swap paths" with explicit pointer to D3M / CDP-via-DAI as separate governance/borrow channels.
  • Conservative round-up rule applied consistently to one-decimal category scores.

Round 2 (commit 559a54e) — score recalibration after pushback that the initial score over-stated risk:

  • Cat 2A Governance: 2.0 → 1.0. Sky's Chief is one of the most decentralized governance systems in DeFi — token-weighted continuous voting with no multisig, no EOAs, all wards held via PauseProxy. Meets the rubric's Score-1 "fully decentralized DAO" criterion and exceeds the "Multisig above 3/5, no EOA, multi-party approval" criterion (the entire SKY-holder set is the approver). 48 h timelock is below the 7-day Score-1 criterion, but Chief's live re-vote in the delay window extends the effective defense. LITE_PSM_MOM emergency channel is a one-sided pause mechanism that has never been invoked.
  • Cat 2C External Dependencies: 2.0 → 1.5. Prior wording double-counted MCD core as both internal architecture and external dependency. True external surface is USDC (blue-chip, critical) + Chainlink oracles (mature, multi-source).
  • Cat 3B Provability: kept at 1.5 — explored a 1.0 but conceded: RWA values onchain are set by governance via PIP_RWA* oracles based on offchain attestations from custodians. The user-facing swap layer (PSM, sUSDS) is fully verifiable, but system-wide solvency verification has an offchain component, so Score 1.0 is not defensible.

Remaining TODOs (manual follow-up, not derivable from contract storage alone)

  • Top-10 individual SKY voter breakdown (offchain enrichment — Sky governance UI or a Vote/Lock event subgraph).
  • Programmatic per-ilk RWA backing share at snapshot (Sky publishes attestations on the governance forum).

Test plan

  • Confirm header (1.4/5.0) and risk-tier text (Minimal Risk) match for site parser consistency.
  • Sanity-check Cat 2 scoring against the rubric (Score 1 "fully decentralized DAO" with the 48 h timelock caveat).
  • Spot-check key onchain addresses against the Sky chainlog.
  • Confirm focus on USDC↔USDS and sUSDS deposit risks matches the issue scope.
  • Confirm remaining TODOs are acceptable to leave for manual follow-up before merging out of draft.

🤖 Generated with Claude Code

@vercel

vercel Bot commented May 20, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
risk-score Ready Ready Preview, Comment May 20, 2026 7:54pm

Request Review

@spalen0
docs(sky): resolve verifiable TODOs in USDS report
3c159cc 
- Skybase International jurisdiction: Cayman Islands (per Terms of Use)
- LITE_PSM_MOM has never invoked Halt (full event-log scan: 4 events
  total, all SetOwner/SetAuthority)
- DEX liquidity quantified from DefiLlama; PSM remains dominant exit
- SKY voter concentration: hat has 6.52B approvals (~92.9% of locked
  SKY in Chief)
- LlamaRisk index has no post-rebrand Sky/USDS asset assessment

Remaining open items (manual follow-up): top-10 SKY voter breakdown
and per-ilk RWA backing share.
@spalen0
docs(sky): address reviewer findings on USDS report
c5b60f3 
- Fix header score inconsistency (1.3 → 1.5) so the site parser and
  body agree.
- Apply conservative round-up rule consistently to one-decimal category
  scores: Cat 1 = 1.3 (was 1.5), Cat 2 = 1.7 (was 1.5), Cat 3 = 1.8
  (was 1.5). Recomputed weighted final 1.510, displayed as 1.5 / 5.0.
- Risk tier moves from Minimal to Low Risk per conservative interpretation
  of the 1.5 boundary (unrounded score 1.510 > 1.5).
- Reword overview: "two atomic, fee-free conversion paths" reframed as
  "two permissionless user-facing 1:1 swap paths"; D3M and CDP/LockStake
  issuance are now explicitly noted as separate governance/borrow channels
  cross-linking to the four-channel breakdown in Funds Management.
@spalen0
docs(sky): lower Cat 2 scores to reflect Sky's actual governance/deps
559a54e 
- Cat 2A Governance: 2.0 → 1.0. Sky's Chief is one of the most
  decentralized governance systems in DeFi: token-weighted continuous
  voting with no multisig, no EOAs, all wards via PauseProxy. Meets the
  rubric's Score-1 "fully decentralized DAO" criterion and exceeds the
  "Multisig above 3/5, no EOA" criterion (entire SKY-holder set is the
  approver). 48 h timelock is short of the 7-day Score-1 criterion but
  Chief's live re-vote extends the effective defense window. LITE_PSM_MOM
  emergency channel is a one-sided pause-only mechanism that has never
  been invoked.
- Cat 2C External Dependencies: 2.0 → 1.5. Prior wording double-counted
  MCD core as both internal architecture and external dependency. True
  external surface is USDC (blue-chip, critical) + Chainlink oracles
  (mature, multi-source).
- Cat 3B left at 1.5 (RWA opacity affects system-wide solvency
  verification; cannot defensibly be 1.0).

Recomputed: Cat 1=1.3, Cat 2=1.2 (was 1.7), Cat 3=1.8, Cat 4=1.0,
Cat 5=1.0 → weighted 1.360 → 1.4/5.0. Risk tier returns to Minimal Risk
(well inside the 1.0-1.5 band, matching the yvUSDS-1 reference at 1.3).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Risk Assessment: USDS

1 participant

@spalen0