Sky's context-building approach: Six months to zero-finding audits | Deniz Yilmaz

Description

Sky's audits consistently return zero findings. When they don't, CTO Deniz Yilmaz investigates why the internal review process failed—not just the bugs. This approach maintains security across USDS, the third-largest stablecoin globally, through six-month engineer onboarding requirements, bi-weekly governance votes with execution delays, and mandatory OPSEC certification before engineers can sign multisig transactions. ABOUT DENIZ YILMAZ Deniz leads all technical teams at Sky Frontier Foundation (formerly MakerDAO), managing USDS—the world's largest decentralized stablecoin and third-largest stablecoin overall. Sky maintains an unbroken security record across years of operation as one of DeFi's oldest protocols. Deniz joined MakerDAO in 2021 as a Product Manager focused on governance tooling and grew into the CTO role through multiple organizational restructuring cycles. He studied engineering management and entered crypto through Amsterdam's meetup community in 2017, working first in enterprise blockchain consulting before joining DeFi during 2020's DeFi Summer. He now coordinates security frameworks across autonomous subdaos and oversees the spellcrafting governance process. CHAPTERS 00:00 Intro — Deniz Yilmaz, CTO at Sky 00:59 Deniz's path from enterprise blockchain to DeFi 05:06 Why MakerDAO rebranded to Sky and USDS 07:18 Learning that full DAO decentralization doesn't work 10:38 Current role as CTO: bridging strategy and technical execution 12:28 Sky protocol overview: subdaos, stars, and credit lines 19:19 Security principles and why decentralization matters 24:55 Security practices that deliver zero-finding audits 30:19 Game theory approach: considering internal actor exploitation 32:34 Scaling security culture across growing teams 34:52 Spellcrafting governance: bi-weekly votes and execution delays 39:24 What makes Sky's security practices different 41:07 The "Daianese" naming convention and protocol context 43:49 Hiring practices and security culture building 46:29 Protocol security workstream and OPSEC training 48:57 OPSEC requirements and multisig signer certification 51:48 Scaling security across subdaos (Spark, Grove) 54:09 Balancing security requirements with business needs 56:41 Maintaining standards across autonomous subdaos 58:52 LLM-based auditing tools and early results 1:02:13 Will AI replace human auditors? 1:04:35 Getting on Sky's radar as a security researcher 1:06:08 Contrarian view: not all audits provide real security 1:07:11 Optimism about stablecoin adoption and Sky's future RESOURCES MENTIONED Sky Protocol: https://sky.money Sherlock Protocol (auditing partner): https://sherlock.xyz Spark (EVM DeFi specialist subdao) Grove (RWA/TradFi specialist subdao) Atlas - Sky's system dataset for governance processes Spellcrafting - Bi-weekly on-chain governance system External OPSEC training companies for multisig certification SUBSCRIBE for more conversations with CTOs and security leaders building secure, decentralized infrastructure for Web3. ABOUT WEB3 SECURITY PODCAST Exploring the discipline of Web3 security through conversations with those leading security at major crypto and blockchain companies. Features discussions on security philosophies, strategies, vendor evaluation, and lessons learned. #Web3Security #SmartContractSecurity #DeFi #Stablecoins #BlockchainSecurity #CTO #SecurityAudits #DAOGovernance #Decentralization