.svg)
Summary
The latest reviewed iteration, v1.12.0, performs the final adjustments preparing the codebase for the final release. The prior release candidate finalized the trust model under which upgradeable integrations are treated as potentially malicious.
The most critical subjects covered in our audit are functional correctness, asset solvency, access control, and external integrations. The general subjects covered are code consistency and documentation.
The most notable findings within this report include violations of functional correctness (e.g. Conflicting slippage constraints block UniswapV3Facet.removeLiquidity) and asset solvency (e.g. Dynamic Call Targets Can Bypass Integration Boundaries). These findings have been resolved. The remaining open findings, the medium-severity Permissionless asset inflows inflate rate limits and some lower-severity ones, have been acknowledged.
In summary, we find that the codebase provides a good level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don't replace other vital measures to secure a project.
About Diamond PAU
Sky implements Diamond PAU (Parallelized Allocation Units), a modular, facet based architecture that replaces the legacy ALM Controller. Integrations are deployed as standalone facet contracts and registered in a shared Beacon; each deployment’s Controller syncs the relevant integration configs, routes allocator calls through its selector dispatch table, and relies on dedicated AccessControls and RateLimits contracts for authorization. Funds remain in the deployment’s ALMProxy, and existing legacy ALMProxy instances can be reused by authorizing the new Controller as the proxy’s controller.