Spells

Introduction

Spells are specialized smart contracts that encode and execute governance-approved changes to Sky Protocol, serving as the definitive bridge between community voting decisions and on-chain protocol modifications ^[1]. In the Sky ecosystem (formerly MakerDAO), every parameter adjustment, collateral onboarding, system upgrade, oracle update, and emergency response flows through the spell mechanism—making spells the critical technical implementation layer for one of decentralized finance's most complex governance systems.

The term "spell" is unique to Sky Protocol and refers to all technical components of an executive vote, encompassing the codebase, code operations, code reviews, and overall code quality ^[1]. Unlike traditional multi-use smart contracts, spells are designed as atomic, one-time executables that perform their defined actions exactly once and cannot be reused. This architectural choice ensures that each governance decision receives a purpose-built, audited implementation rather than relying on generic templated code that might introduce unintended side effects.

The spell system has evolved through nearly a decade of real-world operation, surviving multiple security incidents including the October 2020 flash loan governance attack, Black Thursday's cascade of zero-bid liquidations, and various smart contract vulnerabilities ^[34]^[35]^[37]^[38]. Each crisis refined the system's security model, resulting in today's sophisticated infrastructure of time-delayed execution, emergency response mechanisms, cross-organization review processes, and automated monitoring systems.

As of December 2025, Sky Protocol employs a comprehensive spell infrastructure featuring:

GSM Pause Delay: 30-48 hours of mandatory delay before spell execution ^[6]
Spell Teams: Two primary organizations (Sidestream and Dewiz) providing crafting and review services ^[3]
Emergency Mechanisms: Standby spells, Protego cancellation, and pre-deployed circuit breakers ^[7]^[8]
Automated Infrastructure: Chief-keeper bots for hat management, extensive test suites, and formal verification ^[12]^[23]

This article provides a comprehensive examination of spell architecture, lifecycle, security mechanisms, historical incidents, and the operational processes that make spells the backbone of Sky Protocol's governance execution. Understanding spells is essential for anyone participating in Sky governance, developing on the protocol, or studying DeFi governance mechanisms.

History and Evolution

The spell mechanism emerged alongside MakerDAO's pioneering development of decentralized governance infrastructure, evolving from simple parameter changes in 2017 to a sophisticated multi-layered system capable of coordinating complex protocol upgrades across multiple contracts and chains.

Origins and the DappHub Foundation (2017-2018)

MakerDAO's governance module, including the spell system, was designed during the protocol's foundational development period in 2017-2018 ^[15]. The architecture drew heavily from DS-Auth patterns developed by DappHub—a collection of modular smart contract building blocks created by MakerDAO's early developers. This foundation established the critical separation between voting (Chief contract) and execution (Spell contracts) that remains central to Sky governance today.

The original DSChief contract (version 1.0) implemented continuous approval voting, a mechanism where token holders could deposit MKR and approve multiple proposals simultaneously ^[16]. The proposal with the most weighted approvals became the "hat"—the designated address with authority to trigger governance actions. This design avoided the discrete voting periods common in traditional governance systems, instead allowing governance to respond fluidly to changing community preferences.

Early spells were relatively simple Solidity contracts that modified individual parameters—stability fees, debt ceilings, or oracle addresses. However, as Multi-Collateral DAI launched in November 2019, spell complexity grew dramatically with the need to coordinate changes across dozens of interacting contracts ^[15].

The Governance Security Module Activation (December 2019)

The Governance Security Module (GSM) was activated on December 9, 2019, introducing the critical time-delay mechanism that protects against malicious governance actions ^[25]^[26]. The initial GSM Pause Delay was set at 24 hours, giving token holders time to review approved changes before execution and providing a window to trigger Emergency Shutdown if necessary.

The GSM activation represented a philosophical shift in MakerDAO's governance model. Prior to the GSM, approved spells could execute immediately, creating a theoretical window where a governance attack could drain the protocol before defenders could respond. The 24-hour delay introduced a security buffer but also created new challenges around emergency response capabilities ^[25].

Key technical elements of the original GSM implementation included:

Pause Contract: Queues scheduled transactions and enforces the delay period ^[17]
Authority Checks: Only the "hat" address (the winning spell) could schedule new actions
Emergency Shutdown Override: The ESM module could bypass all governance to trigger shutdown if 50,000 MKR was deposited

Black Thursday and Emergency Governance (March 2020)

March 12, 2020—"Black Thursday"—tested the spell system under extreme duress when a market crash triggered cascading liquidations across the Maker Protocol ^[37]^[38]. Ethereum network congestion caused keepers (liquidation bots) to fail, and approximately $8.32 million in ETH collateral was liquidated for zero DAI in auctions where the winning bidders were the only participants.

The crisis exposed critical vulnerabilities in the spell system's emergency response capabilities:

The Emergency Response Challenge

With the 24-hour GSM delay in place, the protocol couldn't quickly adjust parameters to stabilize the system. The governance community faced a difficult choice: reduce the GSM delay to enable faster responses (increasing governance attack surface) or accept that emergency parameter changes would always lag behind market crises.

The community chose to temporarily reduce the GSM delay to 4 hours through an emergency spell on March 13, 2020. This decision demonstrated both the flexibility and the risks inherent in the governance system—faster response times came at the cost of reduced security margins ^[31]^[45].

Lessons Learned

Black Thursday catalyzed several improvements to the spell infrastructure:

Emergency Shutdown Threshold Review: Confirmed the 50,000 MKR threshold was appropriate for nuclear option
GSM Delay Flexibility: Established precedent for adjusting delay based on threat environment
Circuit Breaker Development: Accelerated work on automatic protection mechanisms
Liquidation System Redesign: Led to development of Liquidations 2.0 (auction mechanism improvements)

The GSM delay was gradually increased back to 72 hours by October 2020 as the immediate crisis subsided and the need for strong governance security reasserted itself.

The Flash Loan Governance Attack (October 2020)

On October 26, 2020, a pivotal incident demonstrated both the sophistication of DeFi composability and a critical vulnerability in the spell system's voting mechanism ^[34]^[35]^[36].

The Attack Mechanics

B.Protocol, a DeFi project seeking oracle whitelisting, executed a flash loan governance manipulation:

Flash Loan Acquisition: Borrowed $20 million (approximately 50,000 ETH) from dYdX and Aave
Token Swap: Used Uniswap to acquire approximately 13,000 MKR (worth ~$7 million at the time)
Vote Casting: Deposited MKR in the Chief contract and voted for their oracle whitelisting proposal
Immediate Withdrawal: Withdrew MKR, swapped back to ETH, and repaid the flash loan
Net Result: Gained temporary voting power sufficient to influence governance at minimal cost

The entire operation occurred within a single Ethereum transaction, costing only gas fees (~$1,000) rather than the millions of dollars that permanent token acquisition would require.

Transparency and Intent

B.Protocol acted transparently, publishing their intentions and noting that the proposal itself was legitimate—they genuinely wanted oracle access. The demonstration was partly educational, showing the community that flash loan governance attacks were practical, not just theoretical ^[34].

However, the attack exposed a critical vulnerability: the DSChief 1.0/1.1 contracts allowed voting and withdrawal within the same block, enabling zero-cost temporary governance power acquisition ^[30].

Emergency Response (October 30, 2020)

The MakerDAO community responded with an emergency executive vote within four days ^[28]:

GSM Delay Increase: Raised from 12 hours to 72 hours, providing maximum response window ^[30]
Module Deauthorization: Removed instant-access modules (Oracle Freeze, Liquidations Circuit Breaker) that could be exploited with temporary governance control
DsChief 1.2 Planning: Began development of flash-loan-resistant voting mechanism

DSChief 1.2: The Definitive Fix

DSChief 1.2, deployed on May 3, 2021, implemented cross-block voting requirements to prevent same-block flash loan manipulation ^[27]^[18]. The key changes:

Lock Delay: MKR must be locked for at least one block before votes count
Free Delay: Cannot withdraw MKR in the same block as locking
Snapshot Voting: Vote weights calculated based on prior block state

The new Chief contract was deployed at address 0x9ef05f7f6deb616fd37ac3c959a2ddd25a54e4f5 ^[47]. All MKR holders were required to migrate their locked tokens from the old Chief to the new one—a governance upgrade requiring coordination across thousands of token holders.

The Dark Spell Mechanism (MIP15)

Concurrent with flash loan attack responses, the governance community formalized the dark spell mechanism through MIP15, approved in September 2020 ^[29]. Dark spells addressed a different security challenge: how to patch critical vulnerabilities without exposing details to potential attackers.

The Responsible Disclosure Problem

Traditional responsible disclosure requires sharing vulnerability details with the affected party before public announcement. In decentralized governance, the "affected party" is thousands of anonymous token holders who vote on fixes. Publishing vulnerability details to enable informed voting also publishes them to attackers.

CREATE2 Pre-Commitment Solution

Dark spells use Ethereum's CREATE2 opcode to pre-commit to a spell address before revealing the actual bytecode ^[24]:

Deploy Factory: Deploy a factory contract with known bytecode
Compute Address: Calculate the deterministic address where the fix spell will deploy
Vote on Address: Governance votes on the computed address without seeing the fix code
Reveal and Deploy: After vote passes, reveal bytecode and deploy to the pre-committed address
Execute: Spell executes through normal GSM delay process

MIP15 established strict criteria for dark spell usage:

Critical bugs affecting 10% or more of collateral value
Vulnerabilities that could cause significant protocol damage
Situations where disclosure would enable exploitation before fix deployment

Subsequent Evolution

The dark spell mechanism was later superseded by MIP102c2-SP1 as the Atlas governance framework evolved, but the underlying pattern remains available for critical vulnerability response ^[32].

WBTC Spells Bug Incident (March 2021)

In March 2021, a bug in spell code for WBTC-B parameters highlighted the importance of rigorous spell testing ^[39]. The spell incorrectly configured parameters, potentially exposing the protocol to risk. The incident was caught during review, the spell was not executed, and the discovery led to enhanced testing procedures including:

Expanded integration test coverage
Additional code review checklists
Improved parameter validation in dss-exec-lib

March 2023 Governance Crisis

March 2023 brought a governance crisis when competing factions created conflicting spells, temporarily fragmenting the community's focus and raising concerns about governance capture ^[33]. While details remain sensitive, the incident reinforced the importance of:

Clear governance procedures documented in the Atlas
Spell team neutrality and professionalism
Emergency response coordination capabilities
The role of Protego in canceling contentious proposals

Transition to Sky Protocol (2024-2025)

The August-September 2024 rebrand from MakerDAO to Sky Protocol brought comprehensive updates to the spell system while maintaining core functionality ^[51]. Key transition elements:

Token Upgrade Spells

The MKR-to-SKY governance token upgrade (Phase One executed May 15, 2025) required careful spell choreography to transition voting power ^[51]:

Migration contract deployment and configuration
Chief contract updates for SKY compatibility
Delegate proxy modifications
Vote weight recalculation (1 MKR = 24,000 SKY)

GSM Delay Adjustments

The transition period saw multiple GSM delay adjustments reflecting changing security requirements:

Date	GSM Delay	Context
March 2024	16 hours	Pre-transition operational flexibility
August 2024	30 hours	Post-rebrand security hardening
October 2024	48 hours	Enhanced protection during token migration
December 2024	30 hours	Return to operational balance

Protego Deployment

The Protego cancellation contract was formally added to the chainlog in the May 15, 2025 executive, establishing the definitive mechanism for stopping malicious or erroneous spells before execution ^[51]^[49].

Technical Architecture

Spells operate within Sky Protocol's governance module, interacting with the Chief voting contract, the Pause delay mechanism, and the protocol's core smart contracts to implement authorized changes atomically. Understanding this architecture is essential for anyone participating in governance validation or spell development.

Governance Module Overview

The governance module consists of several interconnected smart contract components that together enable secure, decentralized protocol control ^[15]:

┌─────────────────────────────────────────────────────────────────┐
│                     SKY TOKEN HOLDERS                            │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼ lock/free/vote
┌─────────────────────────────────────────────────────────────────┐
│                    DSCHIEF 1.2 (Voting)                          │
│  Contract: 0x9ef05f7f6deb616fd37ac3c959a2ddd25a54e4f5           │
│  - Continuous approval voting                                    │
│  - Hat mechanism (highest approval = authority)                  │
│  - Cross-block lock requirements                                 │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼ schedule (only hat)
┌─────────────────────────────────────────────────────────────────┐
│                    PAUSE (GSM Delay)                             │
│  - Queues scheduled transactions                                 │
│  - Enforces time delay (currently 30-48h)                       │
│  - Contains plan() and exec() functions                         │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼ cast() after delay
┌─────────────────────────────────────────────────────────────────┐
│                    SPELL CONTRACT                                │
│  - One-time executable                                           │
│  - Contains SpellAction with protocol changes                   │
│  - Uses delegatecall for atomic execution                       │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼ modify
┌─────────────────────────────────────────────────────────────────┐
│               SKY PROTOCOL CORE CONTRACTS                        │
│  Vat, Jug, Spot, Cat, Vow, Flapper, Flopper, etc.              │
└─────────────────────────────────────────────────────────────────┘

DSChief: The Voting Contract

The DSChief contract implements continuous approval voting, a mechanism fundamentally different from discrete voting periods ^[16]^[47]:

Core Functions

Function	Purpose	Parameters
`lock(uint256 wad)`	Deposit SKY tokens for voting	Amount to lock
`free(uint256 wad)`	Withdraw SKY tokens	Amount to withdraw
`vote(address[] memory yays)`	Approve proposals	Array of spell addresses
`vote(bytes32 slate)`	Vote for pre-registered slate	Slate identifier
`lift(address whom)`	Make address the hat	Target spell address

The Hat Mechanism

The "hat" is the proposal with the highest weighted approval at any given time. Only the hat has authority to schedule new governance actions in the Pause contract. When a new spell accumulates more approvals than the current hat, anyone can call lift() to transfer hat status.

Cross-Block Protection (DSChief 1.2)

The 1.2 upgrade introduced critical flash loan protection ^[27]:

// Simplified illustration of cross-block requirement
function lock(uint wad) public {
    GOV.transferFrom(msg.sender, address(this), wad);
    deposits[msg.sender] = add(deposits[msg.sender], wad);
    // Vote weight doesn't count until next block
    lastBlock[msg.sender] = block.number;
}

function vote(address[] memory yays) public {
    // Require lock occurred in previous block
    require(lastBlock[msg.sender] < block.number, "same-block-lock");
    // Record vote...
}

This prevents atomic flash loan voting by ensuring tokens must be held across at least one block boundary before their voting weight applies.

Pause Contract: The GSM Delay Mechanism

The Pause contract enforces the GSM delay—the mandatory waiting period between spell approval and execution ^[17]:

Core Functions

Function	Purpose	Access
`plan(address usr, bytes32 tag, bytes memory fax, uint256 eta)`	Schedule a spell	Hat only
`drop(address usr, bytes32 tag, bytes memory fax, uint256 eta)`	Cancel scheduled spell	Hat only
`exec(address usr, bytes32 tag, bytes memory fax, uint256 eta)`	Execute after delay	Anyone

Parameters Explained

usr: The spell contract address
tag: Hash of spell contract's bytecode
fax: Encoded function call data (typically the execute() function)
eta: Timestamp when spell becomes executable (current time + GSM delay)

Delegatecall Execution

When exec() is called, the Pause contract uses delegatecall to execute the spell's code in the Pause contract's storage context. This is why spell action contracts must be carefully written—they execute with the Pause contract's authority ^[11]:

The cast() function triggers the complete execution flow ^[10]:

// The cast() function on a spell triggers this flow:
// 1. Spell.cast() calls pause.exec()
// 2. Pause.exec() verifies eta has passed
// 3. Pause uses delegatecall to SpellAction.execute()
// 4. SpellAction modifies protocol with Pause's authority

DS-Spell Contract Structure

Individual spells follow a standardized structure ^[14]:

contract DssSpell is DssExec {
    constructor() DssExec(block.timestamp + 30 days, address(new DssSpellAction())) {
    }
}

contract DssSpellAction is DssAction {
    function officeHours() public pure override returns (bool) {
        return true;  // Restrict execution to business hours
    }

    function actions() public override {
        // Protocol modifications here
        DssExecLib.setIlkStabilityFee("ETH-A", FOUR_PCT_RATE);
        DssExecLib.setIlkDebtCeiling("ETH-A", 1_000_000_000);
        // ... additional actions
    }
}

Key Characteristics

Immutability: Parameters are set at deployment and cannot change
Single-Use: The done flag prevents re-execution
Atomic: All actions succeed or all revert
Time-Bounded: 30-day expiration prevents stale spells from executing
Office Hours: Optional restriction to specific execution windows

dss-exec-lib: The Spell Crafting Library

The dss-exec-lib library (deployed at 0x8de6ddbcd5053d32292aaa0d2105a32d108484a6) provides standardized functions for protocol modifications ^[20]^[48]:

Core Parameter Functions

Function	Purpose	Example
`setIlkDebtCeiling(bytes32 ilk, uint256 amount)`	Set collateral debt ceiling	500M DAI for ETH-A
`setIlkStabilityFee(bytes32 ilk, uint256 rate)`	Set collateral interest rate	4% APY
`setIlkLiquidationRatio(bytes32 ilk, uint256 pct)`	Set collateral LTV	150%
`setIlkLiquidationPenalty(bytes32 ilk, uint256 pct)`	Set liquidation fee	13%
`setIlkDust(bytes32 ilk, uint256 amount)`	Set minimum vault size	15,000 DAI

System-Wide Functions

Function	Purpose
`setGlobalDebtCeiling(uint256 amount)`	Total protocol debt limit
`setDSR(uint256 rate)`	DAI/USDS Savings Rate
`setSurplusBuffer(uint256 amount)`	System surplus threshold
`setSystemSurplusAuctionAmount(uint256 amount)`	Flap auction lot size

Permission Functions

Function	Purpose
`authorize(address base, address ward)`	Grant contract permissions
`deauthorize(address base, address ward)`	Revoke contract permissions
`setContract(address base, bytes32 what, address addr)`	Update contract references

Helper Utilities

Function	Purpose
`sendPaymentFromSurplusBuffer(address target, uint256 amount)`	Treasury payments
`linearInterpolation(...)`	Gradual parameter changes
`delegateVat(address usr)`	Delegate Vat permissions

Using these standardized functions reduces spell complexity and error potential compared to raw Solidity interactions with protocol contracts.

DssAction Base Contract

All SpellAction contracts inherit from DssAction, which provides the execution framework ^[20]:

abstract contract DssAction {
    // To be overridden by implementing contract
    function actions() public virtual;

    // Office hours check (override to disable)
    function officeHours() public virtual returns (bool);

    // Description for governance
    function description() external virtual view returns (string memory);

    // Execute the spell actions
    function execute() external {
        require(!done, "spell-already-cast");
        if (officeHours()) {
            require(block.timestamp % 1 weeks >= 14 hours, "not-office-hours");
            require(block.timestamp % 1 weeks < 21 hours, "not-office-hours");
        }
        actions();
        done = true;
    }
}

Office Hours Restriction

The office hours modifier restricts spell execution to 14:00-21:00 UTC, Monday through Friday ^[44]. This constraint ensures execution occurs when maximum community members and developers are available to respond to issues. The restriction can be disabled for time-sensitive operations by overriding officeHours() to return false.

Chief Keeper: Automated Hat Management

The chief-keeper bot monitors the DSChief contract and automatically lifts spells to hat status when they accumulate sufficient approvals ^[12]^[23]:

Operational Parameters

Monitors DSChief for approval changes every block
Compares spell approvals against current hat
Calls lift() when a new spell exceeds hat threshold
Runs continuously via dedicated infrastructure

Technical Implementation


while True:
    current_hat = chief.hat()
    current_approvals = chief.approvals(current_hat)

    for spell in pending_spells:
        spell_approvals = chief.approvals(spell)
        if spell_approvals > current_approvals:
            # Lift this spell to become the new hat
            chief.lift(spell)
            break

    wait_for_next_block()

Contract Addresses (Mainnet)

Component	Address
DSChief 1.2	`0x9ef05f7f6deb616fd37ac3c959a2ddd25a54e4f5` ^[47]
dss-exec-lib	`0x8de6ddbcd5053d32292aaa0d2105a32d108484a6` ^[48]
Protego	`0x5C9c3cb0490938c9234ABddeD37a191576ED8624` ^[49]

Spell Types

Sky Protocol employs several categories of spells with distinct purposes, security characteristics, and execution requirements. Understanding these categories is essential for governance participants evaluating proposals.

Regular Executive Spells

Standard executive spells follow a weekly cadence and implement routine governance decisions ^[1]:

Common Operations

Parameter Adjustments: Stability fees, debt ceilings, liquidation ratios, dust limits
Collateral Management: Onboarding new collateral types, offboarding deprecated ones
Oracle Updates: Adding/removing oracle sources, updating price feed configurations
Treasury Operations: Budget disbursements, delegate compensation, service provider payments
Technical Upgrades: Contract migrations, permission updates, integration changes

Execution Characteristics

Subject to full GSM Pause Delay (30-48 hours)
Complete review process by Spell Teams
Office hours restriction applies
30-day expiration window
Visible on governance portal throughout lifecycle

Out-of-Schedule Spells

Some situations require spell execution outside the standard weekly schedule ^[1]:

Triggers for Out-of-Schedule Spells

Urgent parameter changes responding to market conditions
Critical security patches
Time-sensitive governance decisions
External integration requirements

Process Differences

Expedited review process (same security standards, compressed timeline)
Service-level agreements (SLAs) determined case-by-case
May require emergency coordination across time zones
Often accompanied by forum announcements explaining urgency

Emergency Spells

Emergency spells provide rapid response capabilities for crisis situations, with some mechanisms bypassing the standard GSM delay ^[2]^[13].

Standby Spells

Standby spells are pre-deployed contracts that allow Sky Governance to bypass the GSM Pause Delay for critical emergency actions ^[7]. Unlike regular spells, standby spells are reusable and can be executed multiple times.

Standby Spell Categories

Category	Target	Examples
Single-Collateral	One collateral type	`SingleOsmStopSpell`, `SingleDdmDisableSpell`, `SingleClipBreakerSpell`
Grouped	Predefined collateral list	`GroupedLineWipeSpell`, `GroupedClipBreakerSpell`, `GroupedOsmStopSpell`
Multi-Collateral	Multiple collaterals	`MultiOsmStopSpell`, `MultiClipBreakerSpell`, `MultiLineWipeSpell`
Global	System-wide	`SplitterStopSpell`, `SpBeamHaltSpell`, `GlobalSettlementTrigger`

Critical Emergency Actions Enabled

Oracle Stop: Freeze a compromised price feed (OsmStopSpell)
Debt Ceiling Wipe: Set collateral debt ceiling to zero (LineWipeSpell)
D3M Disable: Disable Direct Deposit Module integrations (DdmDisableSpell)
Liquidation Halt: Stop liquidations for specific collateral (ClipBreakerSpell)
Splitter Stop: Halt the surplus splitter mechanism
Beam Halt: Stop SP-BEAM allocator operations

MOM Contracts

"MOM" contracts (OsmMom, ClipperMom, FlipperMom, LineMom) provide the actual bypass mechanism, allowing authorized actors to execute specific emergency functions without GSM delay ^[7]:

// Example: OsmMom allows stopping an oracle immediately
contract OsmMom {
    function stop(bytes32 ilk) external auth {
        // No GSM delay - executes immediately
        OsmAbstract(osms[ilk]).stop();
    }
}

Protego: The Cancellation System

Protego is a contract that allows Sky Governance to cancel the execution of planned governance actions awaiting GSM Pause Delay expiration ^[8]^[49].

Core Features

Feature	Description
Emergency Drop Spells	Can cancel any planned governance action before GSM delay elapses
Permissionless Cancellation	Authorized users can cancel single or multiple planned actions
Accountability	Breach of Protego usage requirements constitutes misalignment

Technical Parameters

usr: Authorized user (typically a multi-sig or governance address)
tag: Target spell identification
fax: Encoded calldata of the planned action
eta: Scheduled execution timestamp
plans: Queue of pending actions

Use Cases

Malicious Spell Detection: Community identifies harmful code after approval but before execution
Parameter Errors: Spell contains incorrect values that would destabilize protocol
Market Condition Changes: Approved changes no longer appropriate for current environment
Governance Dispute Resolution: Contested proposal requires reconsideration

Dark Spells (MIP15 Legacy)

Dark spells use CREATE2 deployment to enable voting on vulnerability fixes without disclosing details ^[29]^[24]^[32]:

Process Flow

Security team identifies critical vulnerability
Fix code is written but not disclosed
CREATE2 factory computes deterministic deployment address
Governance votes on the address (without seeing code)
After approval, code is revealed and deployed
Spell executes through normal GSM process

Current Status

While MIP15 was superseded by MIP102c2-SP1, the underlying technical capability remains available. The pattern was used during actual vulnerability disclosures and remains a template for responsible disclosure in decentralized systems.

Prime Spells

Prime Spells execute governance actions for Sky Stars (Prime Agents) such as Spark, Grove, Keel, and Obex ^[9]:

Execution Methods

Direct Execution through Sky Core Spell: Standard approach where Star actions are included in main executive
Execution through StarGuard: Preferred method using isolated execution environment (preferred method)

StarGuard Architecture

StarGuard provides a sandbox for Star operations, limiting potential damage from compromised or buggy Star spells:

Isolated permission set
Limited scope of accessible contracts
Audit requirements specific to Star operations
Separate review process from core protocol spells

Security Requirements

Prime Spells are subject to comprehensive security guidelines communicated through official channels. Violations constitute misalignment with potential escalated penalties under Atlas framework ^[9].

Spellcrafting Process

The spell development and review process involves multiple specialized roles working within a structured workflow to ensure security and correctness. This section details the complete lifecycle from governance decision to execution.

Spell Team Structure

Each executive vote requires a dedicated Spell Team with defined roles and responsibilities ^[3]:

Required Composition

Role	Count	Requirements
Spell Crafter	1	Writes the spell code
Spell Reviewers	≥2	Verify correctness and security

Cross-Organization Requirements

At least one reviewer must be from a different Ecosystem Actor than the Crafter
The Crafter cannot serve as Reviewer for the same spell
Rotation requirements prevent consecutive crafting by same person

Current Spell Roster

The Spell Roster as of December 2025 consists of two primary teams ^[3]:

Team	Primary Function	Notable Contributions
Sidestream	Spell crafting and review	Weekly executive support
Dewiz	Spell crafting and review, library maintenance	dss-exec-lib development

Spell Crafter Responsibilities

The Spell Crafter bears primary responsibility for translating governance decisions into executable code ^[4]:

Core Duties

Parse written instruction set from Executive Sheet into Solidity code
Develop the spell implementation
Responsible for ALL code additions, modifications, or removals
Run comprehensive test suite before submitting for review
Address all reviewer feedback
Deploy final approved spell to mainnet

Rotation Requirement

The same person cannot craft spells for two consecutive Executive Votes. This rotation ensures knowledge distribution and prevents single points of failure ^[4].

Workflow Adherence

Crafters follow detailed checklists from the pe-checklists repository ^[22]:

## Pre-Development
- [ ] Review Executive Sheet for completeness
- [ ] Verify all required parameters are specified
- [ ] Confirm no conflicts with pending spells

## Development
- [ ] Clone spells-mainnet template
- [ ] Implement all required actions
- [ ] Add comprehensive test cases
- [ ] Run full test suite (forge test)

## Pre-Review Submission
- [ ] All tests passing
- [ ] Code formatted (forge fmt)
- [ ] Self-review completed
- [ ] PR created with proper description

Spell Reviewer Responsibilities

Spell Reviewers provide independent verification of spell correctness and security ^[5]:

Core Duties

Review draft spells as parsed by the Spell Crafter
Verify spell quality, find issues, catch bugs and mistakes
Confirm alignment between governance decisions and implementation
Sign off on final approval

Explicit Restrictions

Cannot perform any addition, modification, or removal of code
May only suggest changes to the Crafter
Final approval authority rests with reviewers collectively

Review Checklist

Reviewers follow standardized checklists verifying ^[22]:

## Technical Correctness
- [ ] All parameters match Executive Sheet exactly
- [ ] Correct contracts being modified
- [ ] Proper rate/RAY/WAD conversions
- [ ] No unintended side effects

## Security Review
- [ ] No unauthorized permission changes
- [ ] No unexpected contract calls
- [ ] delegatecall usage is correct
- [ ] No storage collisions possible

## Operational Review
- [ ] Office hours appropriate
- [ ] Expiration timestamp reasonable
- [ ] Gas usage within limits
- [ ] No blocklist/allowlist conflicts

Development Workflow Timeline

The spell development process follows a structured timeline aligned with weekly governance cycles ^[22]:

Week 1: Preparation

Day	Activity
Monday-Wednesday	Governance facilitators compile Executive Sheet
Thursday	Executive Sheet finalized with approved changes
Friday	Spell Crafter assignment

Week 2: Development and Review

Day	Activity
Monday	Spell Crafter writes code based on Executive Sheet
Tuesday	Reviewers perform comprehensive review
Wednesday	Crafter addresses feedback, additional review rounds
Thursday (Target Date)	Pre-deployment checks, mainnet deployment

Deployment Process (Step by Step)

Pre-deployment Setup
- Verify all tests pass on fork
- Confirm gas estimates within acceptable range
- Final review of deployment parameters
Mainnet Deployment
- Spell Crafter deploys spell contract
- Record deployment transaction and contract address
- Verify contract on Etherscan
Post-Deployment Verification
- Cast spell on Tenderly fork simulation
- Verify all actions execute correctly
- Confirm no unexpected state changes
Archive and Documentation
- Archive spell in repository
- Update changelog
- Create Pull Request
Final Review and Merge
- Reviewers verify deployed code matches reviewed code
- Confirm Etherscan verification
- Squash and merge PR
Handover to Governance
- Submit spell to governance portal
- Announce availability for voting
- Begin GSM countdown upon hat acquisition

Ecosystem Spell Validation

After deployment, spells undergo Ecosystem Spell Validation—a community verification process ^[44]:

Validation Window

Starts: When spell becomes visible on the Voting Portal
Ends: Before spell's actions become executable (when GSM Pause Delay elapses)

Validation Activities

Community validators perform independent verification:

Download deployed bytecode from Etherscan
Compile spell from source code
Compare bytecode hashes
Review source code for unexpected operations
Simulate execution on local fork
Report any discrepancies

Who Validates

Aligned Delegates (governance participants)
Independent community members
External security researchers
Protocol team members (non-Spell Team)

Test Suite Architecture

Modern spell development relies on comprehensive testing ^[43]:

Test Categories

Category	Purpose	Example
Unit Tests	Individual function correctness	Parameter conversion accuracy
Integration Tests	Full spell execution	Complete spell on mainnet fork
Regression Tests	Prevent known issue recurrence	Flash loan protection verification
Office Hours Tests	Timing restriction verification	Execution window enforcement

Testing Infrastructure

# Run full test suite
forge test --fork-url $ETH_RPC_URL -vvv

# Run specific spell test
forge test --match-contract DssSpellTest --fork-url $ETH_RPC_URL

# Gas profiling
forge test --gas-report

Typical Gas Costs

Executive spells typically consume 3.8 million to 13.3 million gas depending on complexity ^[50]:

Spell Complexity	Gas Range	Example Operations
Simple	3-4M	Single parameter change
Moderate	5-8M	Multiple parameter updates
Complex	8-13M	Collateral onboarding, major upgrades

Security Model

The spell system incorporates multiple security layers designed to prevent malicious governance actions while enabling legitimate protocol evolution. This defense-in-depth approach has been refined through multiple real-world incidents.

GSM Pause Delay

The Governance Security Module (GSM) Pause Delay is the primary defense mechanism against governance attacks ^[6]^[45].

Current Configuration (December 2025)

Parameter	Value
Default Delay	30 hours
Maximum Historical	72 hours
Minimum Historical	4 hours

Security Functions

Review Window: Provides time for token holders to analyze approved changes
Counter-Organization: Allows minority holders to rally support against malicious proposals
Emergency Response: Enables Protego cancellation or Emergency Shutdown trigger
Attack Economics: Requires attackers to maintain governance capture for extended periods

Historical GSM Delay Evolution ^[31]

Date	Delay	Reason	Risk Context
Dec 2019	24h	Initial GSM activation	Baseline security ^[26]
Mar 2020	4h	Black Thursday emergency	Market crisis response ^[31]^[45]
Apr 2020	24h	Post-crisis restoration	Normalized operations
Oct 2020	12h	Pre-flash-loan attack	Operational flexibility
Oct 2020	72h	Post-flash-loan attack	Maximum security ^[28]
2021-2023	48-72h	Normal operations	Security emphasis
Mar 2024	16h	Pre-rebrand flexibility	Transition preparation
Aug 2024	30h	Post-rebrand	Security/flexibility balance
Oct 2024	48h	Token migration	Enhanced protection
Dec 2024	30h	Current	Operational balance

Flash Loan Prevention Architecture

DSChief 1.2 implemented comprehensive flash loan protection ^[27]^[18]:

Cross-Block Requirements

// Voting power only counts if locked in prior block
mapping(address => uint256) public lastLockBlock;

function lock(uint wad) public {
    lastLockBlock[msg.sender] = block.number;
    // ... token transfer
}

function vote(address[] calldata yays) public {
    require(lastLockBlock[msg.sender] < block.number, "locked-same-block");
    // ... record vote
}

Economic Implications

Cannot borrow, vote, and repay within single transaction
Attackers must hold tokens across multiple blocks
Holding costs (opportunity cost, price risk) scale with token value
Makes governance attacks economically expensive rather than free

Emergency Shutdown Protection

The Emergency Shutdown mechanism (ESM) requires 50,000 MKR minimum threshold:

Cannot be triggered with flash loaned tokens
Must be permanently deposited (burned)
Creates significant economic barrier to malicious shutdown

Defense in Depth Layers

The spell system employs multiple redundant security mechanisms ^[21]:

Layer 1: Social Layer

Forum discussions before formal proposals
Community review of governance intentions
Delegate analysis and recommendations
Public deliberation period

Layer 2: Technical Review

Spell Team crafting and review
Cross-organization verification
pe-checklist compliance
Automated test suite

Layer 3: Ecosystem Validation

Community bytecode verification
Independent security researcher review
Aligned Delegate validation
Fork simulation testing

Layer 4: Time Lock (GSM)

30-48 hour delay before execution
Continuous monitoring for anomalies
Window for cancellation or Emergency Shutdown

Layer 5: Emergency Response

Protego cancellation capability
Pre-deployed standby spells
MOM contract immediate actions
Emergency Shutdown nuclear option

Audit and Verification Infrastructure

Professional Security Audits

Sky Protocol maintains relationships with leading security firms ^[40]^[41]:

Firm	Focus Areas	Notable Reviews
ChainSecurity	Core protocol, spell patterns	MCD launch audit
Trail of Bits	Governance module, DSChief	Chief 1.2 upgrade
Runtime Verification	Formal verification	K Framework analysis

Bug Bounty Program

The Immunefi bug bounty provides economic incentives for responsible disclosure ^[42]:

Severity	Maximum Bounty	Scope
Critical	$10,000,000	Protocol-threatening vulnerabilities
High	$1,000,000	Significant fund risk
Medium	$100,000	Limited impact bugs
Low	$10,000	Minor issues

Formal Verification

Critical protocol components undergo formal verification:

Mathematical proofs of correctness
Invariant checking across state transitions
K Framework symbolic execution
Act specification language

Spell Validation Checklist

Validators perform extensive checks before approving spells ^[44]:

Bytecode Verification

# Verify deployed bytecode matches source
forge verify-contract $SPELL_ADDRESS \
  --chain mainnet \
  --compiler-version $SOLC_VERSION \
  --constructor-args $ENCODED_ARGS

Source Code Analysis

All imports from trusted sources
No unexpected external calls
Parameter values match governance decisions
No storage manipulation outside delegatecall context
Compiler version and optimizations match documented configuration

Simulation Testing

# Execute spell on mainnet fork
cast send $SPELL_ADDRESS "cast()" \
  --rpc-url $FORK_RPC \
  --from $SIMULATOR_ADDRESS

Emergency Response Playbook

When incidents occur, the protocol follows established response procedures ^[13]^[21]:

Severity Classification

Level	Definition	Response Time
Critical	Protocol solvency at risk	Immediate (minutes)
High	Significant fund exposure	Hours
Medium	Limited impact, no immediate risk	Days
Low	Minor issues	Standard cycle

Response Options by Severity

Critical Response:

Trigger Emergency Shutdown (if warranted)
Execute pre-deployed standby spells
Use MOM contracts for immediate actions
Activate Protego to cancel pending threats

High Response:

Draft out-of-schedule emergency spell
Coordinate expedited review
Deploy and seek governance approval
Monitor during GSM delay

Medium/Low Response:

Include fix in next regular executive
Standard review process
Normal GSM delay execution

Historical Incidents and Lessons

The spell system has been tested through multiple real-world incidents, each contributing lessons that shaped current security architecture.

Black Thursday (March 12, 2020)

Event Summary

A global market crash triggered cascading liquidations when ETH price dropped over 50% in 24 hours ^[37]^[38]:

$8.32 million in ETH collateral liquidated for $0 DAI
Network congestion prevented keeper bots from bidding
Some liquidators won auctions as sole participants
Protocol absorbed ~$6.65 million in bad debt

Spell System Implications

GSM Delay Conflict: 24-hour delay prevented rapid parameter adjustment
Emergency Authority Gap: No mechanism for immediate collateral freezing
Coordination Challenge: Global event during off-hours complicated response

Changes Implemented

Change	Purpose
GSM reduced to 4h temporarily	Enable faster crisis response
Liquidations 2.0 development	Prevent zero-bid auctions
Circuit breakers designed	Automatic protection triggers
Standby spell framework	Pre-authorized emergency actions

Flash Loan Governance Attack (October 26, 2020)

Event Summary

B.Protocol demonstrated governance manipulation using flash loans ^[34]^[35]^[36]:

Borrowed ~$20M via flash loans (dYdX + Aave)
Acquired ~~13,000 MKR (~~$7M)
Voted on oracle whitelisting proposal
Immediately repaid loan
Total cost: ~$1,000 in gas

Technical Analysis

The attack exploited DSChief 1.0/1.1's same-block voting:

Block N:
  1. Borrow 50,000 ETH via flash loan
  2. Swap ETH → MKR on Uniswap
  3. Deposit MKR in Chief
  4. Vote on target proposal
  5. Withdraw MKR from Chief
  6. Swap MKR → ETH on Uniswap
  7. Repay flash loan

Changes Implemented

Change	Purpose
DSChief 1.2 deployment	Cross-block voting requirement
GSM increased to 72h	Extended review window
Module deauthorization	Remove instant-action modules
Flash loan monitoring	Track suspicious token movements

WBTC Parameter Bug (March 2021)

Event Summary

A spell for WBTC-B parameters contained incorrect values that could have destabilized collateral ratios ^[39]:

Bug caught during review process
Spell was not executed
No funds at risk due to detection

Changes Implemented

Change	Purpose
Enhanced test coverage	Catch parameter errors automatically
Additional review checklist items	More thorough validation
Parameter range validation	Sanity checks on values

March 2023 Governance Crisis

Event Summary

Competing governance factions created conflicting spells, fragmenting community attention ^[33]:

Multiple active proposals with conflicting goals
Concerns about governance capture
Community coordination challenges

Changes Implemented

Change	Purpose
Atlas governance framework	Clearer decision procedures
Spell team neutrality requirements	Remove political influence
Protego formalization	Clear cancellation authority
Improved delegate communications	Better coordination

Summary: Lessons Integrated

Each incident contributed specific improvements to the current system:

Incident	Key Lesson	System Change
Black Thursday	Need for faster emergency response	Standby spells, MOM contracts
Flash Loan Attack	Same-block voting is vulnerable	DSChief 1.2 cross-block requirements
WBTC Bug	Review process catches errors	Enhanced testing, checklists
2023 Crisis	Governance needs clear procedures	Atlas framework, Protego

Criticism and Controversies

The spell system, while battle-tested, faces legitimate criticisms and ongoing debates within the community.

Centralization Concerns

The Critique

The reliance on a small roster of specialized teams (Sidestream and Dewiz) for spell crafting creates potential centralization risks ^[3]:

Limited teams create single points of failure
Specialized knowledge concentrates power
New teams face high barriers to entry
Geographic and jurisdictional concentration

Counter-Arguments

Rotation requirements distribute knowledge over time
Cross-team review prevents unilateral action
Open-source code enables external verification
Bug bounty incentivizes independent security research

Protocol Mitigations

Mitigation	Purpose
Mandatory rotation	No consecutive crafting by same person
Cross-organization review	At least one reviewer from different team
Public code repositories	Community can verify all changes
Ecosystem validation window	Anyone can analyze before execution

Complexity and Accessibility

The Critique

Spell development requires deep Solidity expertise and protocol knowledge, making meaningful community validation difficult:

Most token holders cannot independently verify spell correctness
Technical barrier creates reliance on professional reviewers
Complex interactions may hide subtle bugs or backdoors
Verification tools require developer expertise

Counter-Arguments

dss-exec-lib abstracts complexity for common operations
Comprehensive documentation available
Test suites provide automated verification
Multiple independent review layers

Ongoing Improvements

Initiative	Goal
Improved spell templates	Lower barrier for new developers
Enhanced documentation	Better accessibility
Visual simulation tools	Non-technical verification
Simplified validation guides	Community participation

GSM Delay Trade-offs

The Critique

The 30-48 hour GSM delay represents a fundamental trade-off between security and operational flexibility ^[45]:

Extended delays slow legitimate emergency responses
Market conditions can change rapidly during delay periods
Competitors without delays can move faster
Some time-sensitive opportunities may be missed

Counter-Arguments

Standby spells provide instant emergency response
Security breaches could cost far more than delayed operations
Predictable execution timing aids planning
Delay has prevented multiple attack attempts

Community Position

The current 30-hour delay represents community consensus balancing:

Sufficient time for review and response
Not so long as to impair operations
Adjustable through governance if needed
Supplemented by emergency mechanisms

Governance Attack Surface

The Critique

Despite improvements, the spell system retains theoretical attack vectors:

Wealthy actors could still acquire temporary voting control
Cross-block requirements add friction but don't eliminate risk
Social engineering could compromise Spell Teams
Validator fatigue might reduce scrutiny quality

Counter-Arguments

Attack costs now scale properly with token value
Multi-layer defense provides redundancy
Professional teams have accountability
Incident response capabilities exist

Risk Assessment

Attack Vector	Mitigation	Residual Risk
Flash loans	Cross-block requirement	Low
Token accumulation	GSM delay + Protego	Medium
Spell team compromise	Cross-org review	Low
Validator fatigue	Multiple review layers	Medium

Historical Vulnerabilities

The Critique

Past incidents (flash loan attack, Black Thursday) demonstrated that sophisticated actors could exploit governance mechanisms ^[34]^[37]:

Attacks were preventable with better design
Reactive security rather than proactive
Learning came at cost of actual incidents

Counter-Arguments

Each incident strengthened the system
Current architecture addresses known vectors
Bug bounty incentivizes pre-emptive discovery
No system is perfect; resilience matters

Current State and Metrics

As of December 2025, the spell system operates with mature infrastructure and established processes.

Operational Parameters

Parameter	Value
GSM Pause Delay	30-48 hours (varies by security posture)
Office Hours	14:00-21:00 UTC, Monday-Friday
Proposal Expiration	30 days
Spell Teams	Sidestream, Dewiz
Governance Token	SKY (1 MKR = 24,000 SKY)
Execution Cadence	Weekly (Thursdays typical)

Voting Statistics

Based on recent governance activity ^[50]:

Metric	Value
Active Voting Addresses	~846 unique voters
Top 3 Holder Concentration	~78% of voting power
Average Spell Approval	Varies by proposal type
Typical Gas Cost	3.8M - 13.3M gas

Infrastructure Repositories

Active repositories supporting spell operations ^[19]^[20]^[21]^[23]:

Repository	Purpose	URL
`spells-mainnet`	Weekly executive spells	github.com/makerdao/spells-mainnet
`dss-exec-lib`	Spellcrafting library	github.com/makerdao/dss-exec-lib
`dss-emergency-spells`	Pre-deployed emergency spells	github.com/makerdao/dss-emergency-spells
`chief-keeper`	Automated hat lifting	github.com/makerdao/chief-keeper
`pe-checklists`	Development workflows	github.com/sky-ecosystem/pe-checklists
`dss-darkspell`	Dark spell patterns	github.com/makerdao/dss-darkspell

Contract Addresses

Contract	Address	Explorer
DSChief 1.2	`0x9ef05f7f6deb616fd37ac3c959a2ddd25a54e4f5`	Etherscan
dss-exec-lib	`0x8de6ddbcd5053d32292aaa0d2105a32d108484a6`	Etherscan
Protego	`0x5C9c3cb0490938c9234ABddeD37a191576ED8624`	Etherscan

Governance Portal

Executive spells are accessible through vote.sky.money/executive ^[46], providing:

Current active proposals with voting status
Historical spell archive (searchable)
Voting interface for SKY holders
Execution status tracking
Spell source code links
GSM countdown timers

Sky Governance Voting - The continuous approval voting system that determines which spells become the "hat"
Sky Protocol - The foundational protocol that spells modify and govern
SKY Token - The governance token used to vote on spell execution
Sky Staking - The LockStake Engine that enables governance participation
Sky Stars - Prime Agents whose operations are governed through Prime Spells
Emergency Shutdown - The nuclear option backstop for critical failures

Glossary

Term	Definition
Cast	The action of executing a spell after GSM delay elapses
Chief	The DSChief voting contract that manages proposal approvals
Dark Spell	A spell whose code is hidden until after voting (for security fixes)
Delegatecall	EVM operation that executes code in caller's context
DSChief	Voting contract implementing continuous approval voting
dss-exec-lib	Library providing standardized spell functions
Emergency Shutdown	Protocol-wide shutdown mechanism (nuclear option)
GSM	Governance Security Module - the time delay mechanism
Hat	The spell with highest approval, authorized to schedule actions
Lift	Action of promoting a spell to hat status
MOM Contract	Emergency bypass contract for specific actions
Office Hours	Time restriction on spell execution (14:00-21:00 UTC)
Pause	Contract that queues and delays spell execution
Prime Spell	Spell executing Sky Star (SubDAO) governance actions
Protego	Contract for canceling pending spells
Spell Crafter	Developer responsible for writing spell code
Spell Reviewer	Developer responsible for verifying spell correctness
Spell Team	Group of Crafter + Reviewers for each executive
Standby Spell	Pre-deployed reusable emergency spell
StarGuard	Isolated execution environment for Star operations

Data Freshness

This article was generated on December 9, 2025 using sources accessed on that date.

Permanent Information (unchanged unless governance votes modify):

Spell architecture and execution flow
DSChief contract mechanics
dss-exec-lib function signatures
Security model principles
Historical incident details

Semi-Static Information (updated periodically):

GSM delay duration (currently 30-48h)
Spell Team roster (Sidestream, Dewiz)
Contract addresses
Operational procedures

Dynamic Information (changes frequently):

Current active proposals
Voting statistics
Recent spell execution details
Gas costs

For current information, consult:

Introduction

History and Evolution

Origins and the DappHub Foundation (2017-2018)

The Governance Security Module Activation (December 2019)

Black Thursday and Emergency Governance (March 2020)

The Flash Loan Governance Attack (October 2020)

The Dark Spell Mechanism (MIP15)

WBTC Spells Bug Incident (March 2021)

March 2023 Governance Crisis

Transition to Sky Protocol (2024-2025)

Technical Architecture

Governance Module Overview

DSChief: The Voting Contract

Pause Contract: The GSM Delay Mechanism

DS-Spell Contract Structure

dss-exec-lib: The Spell Crafting Library

DssAction Base Contract

Office Hours Restriction

Chief Keeper: Automated Hat Management

Contract Addresses (Mainnet)

Spell Types

Regular Executive Spells

Out-of-Schedule Spells

Emergency Spells

Standby Spells

Protego: The Cancellation System

Dark Spells (MIP15 Legacy)

Prime Spells

Spellcrafting Process

Spell Team Structure

Spell Crafter Responsibilities

Spell Reviewer Responsibilities

Development Workflow Timeline

Ecosystem Spell Validation

Test Suite Architecture

Security Model

GSM Pause Delay

Flash Loan Prevention Architecture

Defense in Depth Layers

Audit and Verification Infrastructure

Spell Validation Checklist

Emergency Response Playbook

Historical Incidents and Lessons

Black Thursday (March 12, 2020)

Flash Loan Governance Attack (October 26, 2020)

WBTC Parameter Bug (March 2021)

March 2023 Governance Crisis

Summary: Lessons Integrated

Criticism and Controversies

Centralization Concerns

Complexity and Accessibility

GSM Delay Trade-offs

Governance Attack Surface

Historical Vulnerabilities

Current State and Metrics

Operational Parameters

Voting Statistics

Infrastructure Repositories

Contract Addresses

Governance Portal

Related Topics

Glossary

Data Freshness

Sources