In-depth breakdown of Spark ecosystem's multi-layered security and risk control system.
Written by Sam MacPherson, co-founder of Phoenix Labs, a leading contributor to Spark
Compiled by: Luffy, Foresight News
Spark has been growing rapidly, continuously adding new security features. We believe it’s time to release a comprehensive overview of Spark’s risk management capabilities.
Spark Savings
Spark Savings is a set of non-custodial savings vaults that allow users to deposit stablecoins such as USDT, USDC, and USDS to earn on-chain yields.
All USD deposits in Spark Savings are 1:1 backed by USDS. Spark Savings has equal priority with USDS, and each deposit is secured by Sky’s entire financial reserve.
Multi-layer loss buffer mechanism
USDS and Spark Savings products have established a six-level risk protection system to progressively mitigate asset loss risk:
Layer one: Internal subordinated risk capital (base layer). Subordinated risk capital is the first buffer in the funding allocation system designed to absorb investment losses. Each core business unit must reserve subordinated capital in the treasury based on its risk-weighted position exposure, serving as the first line of defense against losses. Currently, Spark’s capital reserves are sufficient, with stablecoin equity capital exceeding $35 million.
Layer 2: External Subordinated Risk Capital. Each business unit may borrow additional subordinated risk capital across entities, with the same repayment priority as internal subordinated capital, jointly covering losses arising from allocated assets and risk exposures.
Layer 3: External Senior Risk Capital (srUSDS, coming soon). Users can inject USDS into the Sky Core Protocol as senior risk capital via the srUSDS smart contract. This capital absorbs losses only after all junior capital has been exhausted.
Layer 4: Surplus Reserve Pool (internal senior risk capital). The Sky Protocol Surplus Reserve Pool, composed of accumulated protocol fees and liquidation penalties over time, is used to absorb losses after junior capital has been exhausted.
Layer 5: Global Surplus Reserve Pool. If a single reserve pool is depleted, the protocol will draw from the Sky Global Surplus Reserve to allocate native subordinated reserve funds from other business units within the ecosystem to address extreme loss events.
Layer 6: Token Backstop Mechanism. When all above-risk capital is exhausted, Sky will mint SKY tokens to replenish the protocol’s capital and cover remaining bad debts.
When all secondary risk capital and token backstop mechanisms are exhausted, all USDS holders (including Spark Savings vaults with full USDS backing) will proportionally share the remaining losses.
The multi-layered capital backstop architecture of the Sky ecosystem significantly reduces the likelihood of losses for Spark Savings users. Aggregating all protective funds, the Spark Savings product boasts risk mitigation reserves in the hundreds of millions of dollars.
Liquidity assurance
Spark Savings vaults feature industry-leading instant liquidity to meet institutional-grade deposit and withdrawal demands. The Spark Savings USDT vault maintains an instant redemption buffer of 400 million USDT; the USDC vault leverages the Sky stablecoin exchange module to handle redemption demands in the billions of dollars.
The savings vault contract maintains a multi-million-dollar-level small-scale liquidity reserve to support on-chain instant redemptions. For large withdrawals, the platform employs an asynchronous liquidity intent mechanism: users can submit redemption requests for any amount without restrictions, and rapid settlement is facilitated through the Spark liquidity middleware, with most large withdrawals completed within one minute.
Transparency and Third-Party Ratings
Spark Savings fully discloses its underlying assets and allocation strategies; real-time data can be queried through official channels: Spark Data Dashboard, Sky Ecosystem Data Dashboard, and the official Spark client.
Meanwhile, Spark has received a dedicated rating from Credora, a leading independent risk assessment agency in the crypto space. The report is now available in the client app, and the full content can be accessed on Credora’s official website here.
Emergency Response
If the savings vault encounters potential risks, Spark can activate recovery mode and temporarily suspend withdrawals to ensure equal protection of all users' rights and prevent bank runs.
Future upgrade plans
We are actively developing additional improvements and features to further enhance the security of Spark Savings vaults, including:
Spark and Sky are implementing the first-loss capital vaults mechanism, allowing users to provide loss protection for the protocol by contributing funds in exchange for higher yields. This mechanism will significantly expand the dedicated first-loss capital pool and enhance protection for Spark savings deposit users.
Spark will launch an unrestricted withdrawal feature, ensuring that savings deposit users can withdraw their assets at any time; even in extreme cases where Spark's infrastructure is inaccessible, users' ability to withdraw their assets remains unaffected.
In addition, the team is actively engaging with leading traditional financial institutions to advance more institutional-grade risk assessment and credit rating partnerships, continuously validating that the Spark Savings Vault meets the highest security standards and risk control protocols.
SparkLend
SparkLend is a decentralized money market within the Spark ecosystem. Compared to similar protocols, it has long adopted a conservative operational strategy: strictly limiting the range of collateral assets, employing a multi-oracle pricing mechanism, setting strict interest rate caps, and layering in first-loss capital protection. The rsETH risk event fully demonstrates that these risk control pillars do not operate independently but are interconnected. This design ensures that a failure in any single component—whether the oracle, asset issuer, liquidation system, or market liquidity—will not trigger a chain reaction or generate bad debt.
Current risk control architecture
Restricted collateral asset scope
SparkLend has deliberately streamlined its collateral asset categories. The ETH efficient lending model will now only support wstETH and rETH; the BTC efficient lending model will be fully discontinued. This plan has been publicly announced in the Sky community, with parameter adjustments scheduled for June 4 and mandatory liquidations of existing positions set for June 8. Current risk exposure in this business segment is already low, involving only one core borrower with approximately $1.6 million in outstanding debt and a small number of minor positions. This feature discontinuation will follow the announced timeline rather than implementing abrupt or last-minute parameter changes.
Strictly control duplicate pledging
Collateral assets deposited into the SparkLend reserve pool will remain within the pool and will not be allocated to external strategies for reuse.
Limit mechanism
All cross-module fund transfers in SparkLend are subject to quota limits set at the smart contract level, covering all operations including deposits, withdrawals, cross-chain bridging, and stablecoin exchanges. Building on this, Spark’s fund allocation system imposes separate debt ceilings and inventory range constraints for each lending market. A single depositor or a single extreme risk event cannot drain protocol funds within a single block; quota limits also cap the maximum risk exposure per channel per unit of time.
Triple Oracle Pricing
Asset pricing aggregates data from three oracle sources: RedStone, Chainlink, and Chronicle. When all three sources return valid and non-expired prices, the median price is used; when two sources are valid, the average of the two is taken; a single-source fallback is also supported. This mechanism prevents incorrect asset pricing on SparkLend due to manipulation or failure of any single oracle.
Pegged Asset Circuit Breaker Oracle
For collateral assets with fixed exchange rates or pegged pricing (wstETH, rETH, weETH, cbBTC, WBTC, LBTC), the peg oracle continuously compares the secondary market price of the asset against its underlying benchmark value. If the price deviation exceeds the preset threshold for any individual asset, the circuit breaker will suspend new borrowing on SparkLend to prevent users from collateralizing impaired assets at distorted book values and maliciously extracting high-quality liabilities.
Programmatic liquidity injection
SparkLend’s liquidity buffer is not a static reserve. The Spark liquidity layer automatically allocates USDS, USDC, and USDT in and out of the lending market based on target borrowing rates, utilization levels, and cross-platform inventory balances. When SparkLend utilization rises, the liquidity layer injects idle funds to ensure smooth withdrawals and liquidations; if external markets offer superior risk-adjusted returns, idle capital is systematically reallocated. This is the core logic behind Spark acting as its own lending market’s largest depositor: liquidity dynamically adjusts to demand, rather than relying solely on utilization controls.
Future upgrade directions
Conduct ongoing collateral risk reviews
The team is conducting a comprehensive risk review of all collateral assets on SparkLend, covering individual asset risks, issuer risks, custody mechanisms, oracle data sources, secondary market liquidity, and redemption pathways. This effort will subsequently transition into a routine review mechanism to ensure continuous monitoring and dynamic adjustment of collateral asset risks in response to market changes.
Oracle mechanism upgrade
The team is developing a graded oracle architecture: under normal conditions, fixed pegs or benchmark exchange rates are used by default, and the system automatically switches to market-based pricing only when prices exhibit prolonged and sustained deviations. The upgrade aims to retain existing protections against flash crashes and price spikes, while enabling the protocol to respond more rapidly and automatically to long-term asset depegging risks, ensuring orderly liquidations and preventing the accumulation of bad debt due to delayed price updates. The new mechanism will complement, rather than replace, the existing circuit breaker system: the oracle will handle automatic responses to routine market anomalies, while the circuit breaker remains as the ultimate safety net for extreme failures.
Rapid iteration of market parameters
Currently, most parameter adjustments for SparkLend require completing the full governance voting process, resulting in delays of several days. This model is suitable for routine steady-state adjustments but is ill-suited to respond to black swan events. The team plans to delegate limited-risk control parameter adjustment authority to the risk management administrator role, enabling actions such as lowering collateralization ratios, tightening deposit limits, and adjusting interest rate models to be completed within hours, while final decision-making authority remains with the Spark and Sky governance systems.
Spark Isolated Market
Aggregated lending markets can offer a better user experience, but they have inherent limitations. For collateral assets with unique risk profiles, Spark builds isolated lending markets on top of Morpho.
The isolated lending model enables precise risk pricing and eliminates collateral asset categories with mismatched risk-reward profiles. In addition, all on-chain lending activities not on Ethereum uniformly adopt the isolated market architecture. This model seamlessly integrates with the exchange and financial services ecosystem, eliminating the need for independent deployment and maintenance of underlying infrastructure.
Future upgrade plans
Spark will prioritize developing mature lending markets equipped with multiple oracles and resistance to single points of failure; the client will introduce new access points to enable users to participate directly in lending activities on other blockchains through the Spark app.
Spark Liquidity Layer (SLL)
The Spark liquidity layer serves as a non-custodial capital orchestration hub, coordinating capital allocation across DeFi, CeFi, and traditional finance scenarios, and has been operating stably since its launch on November 2024.
The core design objective of SLL is to ensure that fund flows remain fully controllable, predictable, and bounded under all market conditions, including extreme market scenarios.
The core security feature of SLL is that all cooperating platforms must be pre-approved and added to a whitelist via Spark governance, and all fund operations are strictly limited by predefined amounts. Automated wallets can only transfer funds within the pre-approved whitelist and in accordance with established amount rules.
This constraint mechanism prevents disorderly and rapid withdrawal of funds during periods of market stress, safeguards against the depletion of funds on a single platform, and fundamentally eliminates the transmission of cross-market contagion risks—directly addressing the core weaknesses exposed in recent industry events.
The threat of SLL is that automated wallets could be fully compromised without posing any substantial risk to the protocol. Under this extreme assumption, funds remain confined within predefined cooperative channels and transfer limits, preventing a single module from causing systemic unlimited risk exposure.
Future upgrade plans
This approach extends beyond design to include proactive risk management and resource allocation decisions:
Spark has discontinued multiple high-risk market operations and continues to proactively reduce its asset scope, aligning with the industry's trend of consolidating yield landscapes.
Spark will completely remove Aave's entire market whitelist permissions from SLL. Following the rsETH incident, all related funds have been fully withdrawn, and the secondary deposit channel will be permanently closed.
The team will introduce AI-powered automated risk management tools to monitor risk fluctuations across the entire DeFi ecosystem in real time and automatically execute standardized defensive actions.
Cross-chain bridge
Currently, two cross-chain bridges are operational within the Sky and Spark ecosystems.
SkyLink: Sky's Official Governance and Cross-Chain Bridge
SkyLink connects Sky’s governance mechanism with cross-chain USDS. The governance module employs a 4/7 multi-node verification architecture, offering high decentralization and redundancy protection; the cross-chain asset module uses a 2/2 dual-node verification system. SkyLink has been deployed on the Solana and Avalanche blockchains. The infrastructure is mature and stable, and the team is continuously enhancing defensive measures to counter increasingly sophisticated targeted attacks.
The team will collaborate with LayerZero to expand the scale of cross-chain verification nodes, moving beyond the current 2/2 verification architecture.
Spark Governance Cross-Chain Bridge (Avalanche)
Spark is built on LayerZero’s proprietary governance cross-chain bridge to support Spark Savings USDC on Avalanche. It currently operates under a 2/2 validation model and is planned to undergo an architectural upgrade within the coming weeks to align with SkyLink’s 4/7 multisig validation standard. This cross-chain bridge does not support token transfers, and the exposed capital is minimal, approximately $2 million.