In-depth analysis of Spark security framework: How do six layers of protection safeguard your on-chain assets?

大钳子
大钳子

Spark weathered the rsETH crisis with a robust risk framework, attracting $1.3B in deposits. Key features:

  • Spark Savings: Six layers of loss protection (junior capital, srUSDS, surplus buffer, etc.), USDS backing at 1:1, >$400M instant liquidity.
  • SparkLend: Limited collateral (ETH e-mode only), triple-oracle median pricing, pegged asset circuit breakers, rate limits, programmatic liquidity injection.
  • Isolated Markets: Via Morpho for unique risk collateral, prioritized advanced oracle systems.
  • Spark Liquidity Layer: Non-custodial capital allocator with pre-approved venues and rate limits, preventing rapid drain.
  • Bridges: SkyLink uses 4/7 DVN; Spark bridge upgrading to match. Planned improvements: continuous collateral reviews, adaptive oracle design, risk parameter delegation, AI event detection.
Summary

Author: Sam MacPherson , Co-founder and CEO of Phoenix Lab & Spark

Translation: Big Pliers, PANews

PANews Editor's Note: Recently, the massive flight of billions of dollars triggered by the rsETH cross-chain vulnerability severely impacted Aave, while Spark, which withstood pressure and decisively delisted rsETH three months in advance, defied the trend and attracted $1.3 billion, becoming a "safe haven" for whales across the internet. Why was Spark able to remain steadfast during this extreme crisis? In this article, Sam MacPherson, co-founder of Spark and Phoenix Labs, reveals the platform's robust risk control system: including a unique six-layer funding safety net, strict deposit and loan limits (to prevent bank runs), multiple pricing oracles, and a high-risk asset isolation mechanism. The original article is below:

Spark has been rapidly iterating and evolving, continuously adding security features incrementally. We believe now is a good time to publish a comprehensive overview of Spark's risk management capabilities.

Spark Savings

Spark Savings is a non-custodial savings vault that allows users to deposit stablecoins (such as USDT, USDC, USDS, etc.) to earn on-chain rewards.

Asset endorsement

All Spark Savings deposits denominated in USD are backed 1:1 by USDS. Spark Savings and USDS have equal priority, and Sky's full financial strength backs every deposit.

First loss capital

USDS (and Spark Savings) have multiple layers of loss protection mechanisms at the Prime level.

Tier 1 – Internal Primary Risk Capital (Prime Tier): Primary risk capital is the first capital to bear investment losses under the allocation system. Each Prime is responsible for holding primary capital in the treasury according to its risk-weighted allocation ratio, serving as the first line of defense in the event of allocation losses. Spark is well-capitalized, holding over $35 million in stablecoin equity capital.

Tier 2 – Prime External Primary Risk Capital: Prime can obtain additional primary risk capital from other Primes. This risk capital has the same priority as Prime's internal primary risk capital and is used to cover losses related to Prime allocation and risk exposure.

The third tier – External Senior Venture Capital (srUSDS): This feature is planned for deployment soon. External Senior Venture Capital is provided by the srUSDS smart contract, allowing users to supply USDS to Sky Core to act as senior venture capital, only assuming losses after all primary venture capital has been lost.

Fourth Tier – Surplus Buffer (Internal Senior Venture Capital): Sky Protocol Buffer – also known as “Surplus Buffer” – is the protocol’s accumulated stability fees and liquidation penalties used to cover bad debts in the event of residual losses.

Fifth Layer – Comprehensive Surplus Buffer: When the surplus buffer is depleted, losses will be covered by Sky’s comprehensive surplus buffer, allowing Sky to utilize the corresponding portion of other Prime internal primary venture capital injected by Sky to address major loss events.

Sixth layer – Token backing: If losses exceed the aforementioned sources of venture capital, Sky will mint SKY tokens to re-fund the protocol and cover any remaining bad debts.

Fair loss socialization: Any residual losses will be equally distributed among all USDS holders, including Spark Savings stablecoin vaults (which are fully backed by USDS), only when all other primary sources of risk capital and token backing have been exhausted.

The Sky ecosystem's multi-layered capital safety net provides Spark Savings vault users with a high degree of protection against losses. In summary, Spark Savings vaults are protected against losses and risk events worth hundreds of millions of dollars.

Liquidity

Spark Savings vaults maintain industry-leading levels of instant liquidity, suitable for institutional use cases. The Spark Savings USDT vault maintains an instant liquidity buffer of over 400 million USDT available for redemption; while the Spark Savings USDC vault, through integration with Sky PSM, has redemption capacity of billions of dollars.

The savings vault contract maintains a liquidity buffer of up to $10 million, meeting daily withdrawal needs through atomic redemptions. For large withdrawals, Spark provides an asynchronous liquidity intent mechanism, allowing users to sign withdrawal requests of any amount, which are then quickly completed through the Spark liquidity layer; in most cases, large withdrawal requests can be fulfilled within 1 minute (5 Ethereum blocks).

Transparency and Third-Party Ratings

Spark Savings Vault maintains industry-leading transparency in its endorsed assets and related allocation strategies. Real-time data on Spark and Sky endorsements is available through multiple open resources, including:

  • Spark Data Dashboard: data.spark.fi
  • Sky Information Dashboard: info.skyeco.com
  • Spark application: app.spark.fi

In addition, Spark has received a rating for its Spark Savings product from Credora, a leading independent crypto-native risk rating agency. The rating is available via a link in the Spark App, and the full report can be found on the Credora website.

Event Response

In the event of a potential loss that could impact Spark Savings vaults, Spark can put the vaults into recovery mode to mitigate risk. Temporarily suspending withdrawals ensures that all users are treated equally and prevents a run on the vaults.

Future improvements

We are developing more improvements to further enhance the security of Spark Savings vaults, including:

  • Add additional primary risk capital coverage at the Sky tier.
  • Redundant withdrawal capacity
  • Ratings and reviews from leading traditional financial risk experts in the industry

First-loss capital: Spark and Sky are implementing a first-loss capital treasury (i.e., the third layer in the capital stack mentioned above), allowing users to earn higher returns by using funds to cover potential losses to the protocol. This will significantly increase the size of dedicated first-loss capital, thus better protecting Spark Savings treasury depositors.

Withdrawals: Spark will enable permissionless withdrawals, ensuring that savers can always access their deposits immediately, even when Spark infrastructure is unavailable in extreme circumstances.

Rating: We are actively collaborating with leading institutions in the traditional financial sector to obtain more institutional-grade risk assessments and credit ratings, further ensuring that Spark Savings vaults meet the highest standards in terms of security and risk management for our users.

SparkLend

SparkLend is Spark's permissionless money market. Compared to similar products, it has always operated in a conservative manner, with strictly limited collateral, multi-oracle pricing, strict rate limits, and a first-loss capital mechanism. The rsETH incident reminds us that these pillars are not isolated; they are designed to work in tandem to ensure that the failure of any single component (oracle, issuer, liquidator, market liquidity) does not trigger a cascading effect of bad debts.

Current risk architecture

Strictly defined scope of collateral

SparkLend intends to keep the number of listed assets to a limited range. ETH e-mode is limited to wstETH and rETH. BTC e-mode is being completely removed: the deprecation announcement has been publicly released on the Sky forum and is tentatively scheduled for execution during the governance operation on June 4th, with remaining positions to be forcibly liquidated on June 8th. The risk exposure in the affected pools is already small (approximately $1.6 million from one major borrower, plus a few smaller positions), and this removal is being carried out through a pre-announced timeline, rather than an immediate adjustment of parameters.

Minimize restaking

Collateral provided to the SparkLend reserve pool will remain within the reserve pool and will not be redeployed to external policies.

Rate Limiting

SparkLend implements rate limits at the smart contract level for all cross-module fund inflows and outflows: deposits, withdrawals, cross-chain bridging, and PSM exchanges each have their own rate limits. Furthermore, Spark's configuration system enforces debt caps and minimum/maximum inventory range constraints for each market. A single depositor or a single adverse event cannot deplete the protocol's funds within a single block; rate limits constrain the maximum risk capital for each path per unit of time.

Median of three oracles

Pricing is achieved through median aggregation from three oracles: RedStone, Chainlink, and Chronicle. The median is used when all three oracles return valid and non-expired data; the average is used when two oracles return valid data. A fallback mechanism based on a single data source is also included. This ensures that an attack or failure of a single oracle will not affect SparkLend's pricing.

Asset-linked circuit breaker oracle

For collateral priced at hard-coded prices or exchange rates (wstETH, rETH, weETH, cbBTC, WBTC, LBTC), the pegged ratio oracle continuously compares the asset's market price with its underlying asset price. When the discrepancy exceeds a threshold set for each asset, the circuit breaker mechanism will suspend new borrowing on SparkLend to prevent users from submitting damaged collateral at outdated "face value" prices and seizing healthy debt.

Programmatic liquidity injection

SparkLend's liquidity buffer is not static. The Spark Liquidity Layer (SLL) automatically injects or withdraws USDS, USDC, and USDT from SparkLend based on target borrowing rates, capital utilization, and available inventory in other venues. When SparkLend's capital utilization is high, SLL replenishes idle liquidity to support smooth withdrawals and settlements; if other venues offer better risk-adjusted returns, idle capital is rotated there. This is precisely the significance of Spark as the largest depositor in its own market: liquidity responds to demand, rather than simply relying on utilization rates for allocation.

Planned improvements

Continuous Collateral Risk Review

We are currently conducting a comprehensive review of all collateral assets in SparkLend, covering not only the individual risk profile of each asset but also its dependencies (issuers, custodians, oracle data sources, secondary liquidity, and redemption pathways). This process will transition to a continuous review framework to ensure that collateral risk is constantly monitored and updated as market conditions change.

Oracle improvements

A more progressive oracle design is currently under development: under normal circumstances, it defaults to hard-coded prices or exchange rates, only switching to market pricing when persistent discrepancies are observed. The goal is to retain existing protections against flash crashes and abnormal oracle volatility while giving the protocol a faster, more automated response to genuine structural decoupling events, enabling orderly liquidation rather than allowing bad debts to accumulate behind outdated prices. This design aims to complement, rather than replace, the existing circuit breaker mechanism: the oracle automatically handles persistent market misalignments, while the circuit breaker acts as a last resort in the event of catastrophic failures.

Market parameter updates are being accelerated.

Currently, most parameter changes in SparkLend require a full governance process, which introduces delays of several days. This is acceptable for routine adjustments, but too slow for tail-risk events. Efforts are underway to delegate a limited range of risk parameters to risk administrators, enabling actions such as tightening LTV, lowering supply caps, or adjusting interest rate models to be executed within hours, while final decision-making power remains with Spark and Sky governance.

Spark Isolated Market

Pooled lending markets offer a better user experience, but they also have limitations. Spark also provides an isolated market for collateral with unique risk characteristics through Morpho.

Segregated lending allows you to price risk more effectively and remove collateral that no longer provides a good risk-adjusted return.

In addition to risk management tools, Spark will also isolate the market for all non-Ethereum on-chain lending businesses, enabling Spark to connect to exchanges and fintech integrations without having to deploy or maintain its own infrastructure.

improve

  • Spark will prioritize markets with advanced oracle systems to ensure resilience against the failure of any single data source.
  • Spark will add interface support to the Spark App, allowing users to participate in lending on other blockchains directly through the Spark App.

Spark Liquidity Layer (SLL)

Spark Liquidity Layer (SLL) serves as Spark's non-custodial capital allocator, operating across DeFi/CeFi and traditional financial opportunities. It has been running stably since November 2024 without any failures.

The core design of SLLs is to ensure that capital flows are constrained, predictable, and bounded under all conditions—including periods of market stress.

The key security feature of Spark LLP is that Spark governance must be pre-configured with approved venues and subject to strict rate limits. Automated wallets can only transfer funds between these pre-approved venues, within the prescribed rate limits.

These constraints ensure that capital is not rapidly depleted from any single location, and that allocation changes are made gradually rather than reactively under stress. This directly addresses a core failure pattern observed in recent market events: unrestrained capital flows lead to rapid liquidity depletion and trigger cascading stress across markets.

SLL's threat model assumes that even if automated wallets are completely compromised, the protocol will not face any substantial risk. Even under this assumption, capital is still confined to predefined locations and rate limits, ensuring that no single component can introduce unlimited risk into the system.

improve

This approach goes beyond the design level and extends to proactive risk management and configuration decisions:

  • Spark has abandoned many markets as part of a broader risk reduction initiative and will continue to be proactive in integrating yield opportunities.
  • Spark will remove support for all Aave markets from the SLL whitelist. While all Aave funds were withdrawn shortly after the rsETH incident, the ability to deposit them back will also be deprecated.
  • Introduce AI-driven automation capabilities to detect a wider range of DeFi events and take appropriate action.

Cross-chain bridge

There are currently two operational cross-chain bridges in the Sky/Spark ecosystem.

SkyLink: Sky's official governance and token bridge

SkyLink is responsible for bridging Sky governance and cross-chain USDS. The governance configuration is 4/7 DVN, providing high decentralization and redundancy; the token bridge requires 2/2 DVN.

SkyLink has been deployed on Solana and Avalanche.

SkyLink has recently completed its deployment with a robust configuration and is currently deploying additional defenses to protect against increasingly sophisticated nation-state attackers.

Improvement: In collaboration with LayerZero, the number of DVNs on the token bridge is expected to increase from 2/2.

Spark governance bridge (Avalanche)

Spark operates its own LayerZero governance bridge to support Spark Savings USDC on Avalanche. The bridge is currently configured 2/2 and is planned for upgrade in the coming weeks to match SkyLink's 4/7 configuration.

The bridge does not involve any associated token bridges and the capital at risk is extremely limited (approximately US$2 million).

Share to:

Author: 大钳子

Opinions belong to the column author and do not represent PANews.

This content is not investment advice.

Image source: 大钳子. If there is any infringement, please contact the author for removal.

Follow PANews official accounts, navigate bull and bear markets together
Telegram Discussion Group
Telegram News Channel
@PANews
Recommended Reading
大钳子

大钳子

CZ Binance Square AMA Q&A Transcript: Entrepreneurship, Direction, Bear Market Investing, and Opportunities for Ordinary People
大钳子

大钳子1 authors

Understanding CZ: The Years Before Binance's Birth and the 72 Principles That Shaped Him
大钳子

大钳子

Token graveyard: 99.99% of crypto tokens will eventually go to zero.
大钳子

大钳子

Delphi Labs Founder's Observations and Reflections on Two Weeks in China's AI Ecosystem
大钳子

大钳子1 authors

A rare two-block reorganization occurred on the Bitcoin network, with Foundry USA mining seven blocks in a row, effectively ending the competition!
大钳子

大钳子

How will this Middle East war reshape your assets in 12 months?

Popular Articles

Industry News
Market Trends
Curated Readings
Subscribe
PANews App
24/7 blockchain news tracking and in-depth analysis.
Download PANews App
App StoreGoogle Play
PANews APP
The US spot Bitcoin ETF absorbed 19,000 BTC in five days, nine times the amount of new supply mined during the same period.
PANews Newsflash