MAINNETBETA

spark.fi

spark.fi
4.9MODERATEmedium
6 sectionsrun #1
Findings1 critical14 high15 medium
DEPGOVTKNAUDCTR
Last analyzed 15d ago runs

Summary

Spark is a Sky/Maker ecosystem capital allocator with roughly $4.8B TVL across eight chains, offering SparkLend (Aave v3 fork), Spark Savings vaults, and a $2.1B cross-chain liquidity layer. It has operated since 2023 with no direct fund losses and one of DeFi's stronger audit programs (22+ tier-1 reviews, $5M Immunefi bounty). Primary risks are deep Sky/USDS dependency, 13 unverified contracts (22%) including L2 governance executors, executive control via Sky's SubProxy rather than SPK token voting, and acute SPK token unlock pressure in June 2026. Overall risk is moderate at 4.9/10.

Trust Assumptions

Users trust that Sky governance and the SubProxy (warded by Sky Pause Proxy and StarGuard's 7-day spell window) will act in depositors' interest, that Sky's USDS vault and Savings Rate remain solvent and accessible, that Chainlink and median oracles (Chronicle, RedStone) price collateral accurately, that deployed bytecode matches audited code despite 22% unverified contracts, and that emergency multisigs (SparkLend 3-of-5, ALM 2-of-4) use freeze powers only in genuine incidents.

What Could Go Wrong

A Sky USDS depeg, vault pause, or governance change could block Spark's $2.1B liquidity layer from drawing capital and disrupt Savings yields across all chains. Thirteen unverified contracts—including PoolConfigurator, KillSwitchOracle, and L2 Spark Executors—mean upgrade paths and cross-chain spell execution cannot be independently confirmed; a compromised ward holder could execute immediate SubProxy delegatecalls without an on-chain timelock. Oracle failure on Chainlink feeds (no on-chain fallback configured) or stale SSR data on L2s could misprice collateral and trigger bad liquidations, while an exploit at any ALM-integrated venue (Aave, Ethena, Curve) could drain funds within rate-limit bounds.

Recommendation

Spark is suitable for yield-seeking capital given its clean three-year track record, layered emergency tooling, and strong audit history, but size exposure to your tolerance for Sky ecosystem coupling and governance centralization. Monitor USDS peg health, new SparkLend market listings, unverified contract verification status, and the June 2026 SPK unlock cluster (~770–900M tokens). Reduce exposure if SubProxy ward holders change, critical contracts remain unverified, or ALM deployments expand to unaudited integrations beyond v1.7.0 differential reviews.

Key Findings (30)

critical
13 Unverified Core Contracts Block Source Auditingverification
high
Unverified PoolConfigurator Controls SparkLend Reserve Parametersverification
high
Unverified L2 ALM Controllers Hold Cross-Chain Capitalverification
high
Unverified Cross-Chain Executors and Gov Relaysverification
high
SparkLend Core Uses Immutable-Admin Proxies Upgradable by SubProxyupgradability
high
SubProxy Delegatecall Enables Arbitrary Target Executionaccess-control
high
ALM Proxy Grants Controller Arbitrary External and Delegate Callsaccess-control
high
Executive Control via Sky Parent, Not SPK Holderscentralization
high
No Timelock on SubProxy Direct Executioncentralization
high
Unverified Arbitrum Spark Executorcross-chain
high
Extreme Supply Concentration in Protocol-Controlled Walletsconcentration
high
Aggressive Year 1–2 Farming Emissionsemission
high
Imminent June 2026 Unlock Clusterunlock
high
Sky SSR Oracle Chain — Single Upstream for Savings Yieldsoracle
high
Sky Allocation System — Capital Source Single Point of Failureprotocol
medium
ERC-1967 Proxies for Savings Vaults and Bridgesupgradability
medium
Unverified KillSwitchOracle and Savings Intentsverification
medium
Emergency Freezer Multisigs With Limited On-Chain Powersaccess-control
medium
stSPK MigratableEntityProxy Uses Immutable Deployer Adminupgradability
medium
ALM Freezer Multisig Has On-Chain Emergency Powersoperational
medium
SparkLend Freezer Multisig — 3-of-5 Operational Controloperational
medium
Cross-Chain Gov Relay Relies on Bridge Trustcross-chain
medium
Limited Direct Token Utility Beyond Governance and Pointsutility
medium
Incentive Misalignment Across Productsincentives
medium
Sky Ecosystem Dependency and Emergency Mint Authoritygovernance
medium
Large FDV Premium Over Circulating Market Capvaluation
medium
AaveOracle Chainlink Primary — No Fallback Oracle Configuredoracle
medium
KillSwitchOracle Unverified — Peg Monitoring Blind Spotoracle
medium
Native L2 Token Bridges — Arbitrum/Optimism/Base Messenger Trustbridge
medium
Sky Gov Relay — Cross-Chain Governance Executionbridge

Analysis Sections

Spark executive control is concentrated in the SubProxy (0x3300…8c4), authorized via wards by Sky Pause Proxy and Spark StarGuard (7-day max delay). SPK Snapshot voting is signaling-only; on-chain changes flow through Sky executive spells. Operational freezer multisigs (SparkLend 3/5, ALM 2/4) hold limited emergency powers. Cross-chain governance uses Gov Relay with timelocked L2 executors, but Arbitrum's Spark Executor is unverified.

Findings (8)

highExecutive Control via Sky Parent, Not SPK Holders

On-chain verification shows SubProxy wards are held by Sky Pause Proxy (0xBE8E3e36…) and Spark StarGuard (0x6605aa12…), not SPK token holders. SubProxy owns PoolAddressesProvider, is ACL admin, holds POOL_ADMIN and EMERGENCY_ADMIN on ACLManager, and DEFAULT_ADMIN on ALM MainnetController. SPK governance is off-chain Snapshot signaling; execution requires Sky Atlas updates and executive spells.

on-chain RPCSubProxy wards(Sky Pause Proxy)=1, wards(StarGuard)=1; PoolAddressesProvider.owner()=SubProxy; ACL hasRole(POOL_ADMIN, SubProxy)=true
protocol docsSPK token holders vote on Snapshot; implementation flows through Sky Atlas updates and Spark Spells via Sky Spell process
highNo Timelock on SubProxy Direct Execution

SubProxy.exec() performs immediate delegatecall execution for any address with wards. While StarGuard enforces a 7-day maxDelay for whitelisted proxy spells, the SubProxy contract itself has no built-in timelock. Sky Pause Proxy can authorize and execute changes without an on-chain delay at the SubProxy layer.

contract sourceSubProxy.sol: exec() is auth-gated via wards mapping with no delay mechanism
on-chain RPCSpark StarGuard maxDelay()=604800 (7 days); subProxy()=0x3300f198988e4C9C63F75dF86De36421f06af8c4
highUnverified Arbitrum Spark Executor

Cross-chain governance on Arbitrum routes L1 SubProxy messages through ArbitrumReceiver (l1Authority=SubProxy) to Spark Executor 0x65d946…f7a1, which is unverified on-chain. This creates a governance asymmetry: mainnet contracts are verified and auditable, but the primary Arbitrum execution target cannot be source-audited.

on-chain RPCArbitrumReceiver.l1Authority()=0x3300f198988e4c9c63f75df86de36421f06af8c4; target()=0x65d946e533748a998b1f0e430803e39a6388f7a1
contract verification statusArbitrum Spark Executor 0x65d946…f7a1: source NOT VERIFIED
mediumALM Freezer Multisig Has On-Chain Emergency Powers

ALM Freezer multisig (0x90D8c80…3431) is a 2-of-4 Gnosis Safe verified on-chain. It holds the FREEZER role on MainnetController, enabling removal of ALM relayers without governance spell. This is a low-threshold operational backstop separate from SPK/Sky governance.

on-chain RPCALM Freezer getThreshold()=2, 4 owners; hasRole(FREEZER, 0x90D8c80…)=true on MainnetController
contract sourceMainnetController.removeRelayer() requires FREEZER role
mediumSparkLend Freezer Multisig — 3-of-5 Operational Control

SparkLend Freezer (0x44efFc4…eC3) is a 3-of-5 Gnosis Safe. On-chain checks show it does not hold ACL EMERGENCY_ADMIN or POOL_ADMIN directly; emergency pause authority for SparkLend sits with SubProxy (EMERGENCY_ADMIN). The freezer multisig provides operational incident response but its exact on-chain permissions require spell-granted roles.

on-chain RPCSparkLend Freezer getThreshold()=3, 5 owners; hasRole(EMERGENCY_ADMIN, freezer)=false; hasRole(EMERGENCY_ADMIN, SubProxy)=true
mediumCross-Chain Gov Relay Relies on Bridge Trust

L2 Sky Gov Relay contracts accept messages only from L1 counterparts (Arbitrum L1 relay 0x9ba25c…; Base L1 relay 0x1ee0ae8…). Gnosis uses AMBBridgeExecutor with controller=SubProxy (delay=0, gracePeriod=3 days). Optimism Executor has delay=0 and gracePeriod=7 days. Cross-chain governance inherits bridge liveness and security assumptions.

on-chain RPCArbitrum L2GovernanceRelay.l1GovernanceRelay()=0x9ba25c289e351779e0d481ba37489317c34a899d; Gnosis AMB controller=SubProxy, getDelay()=0, getGracePeriod()=259200
contract sourceL2GovernanceRelay.relay() restricted to onlyL1Counterpart(l1GovernanceRelay)
infoStarGuard Provides 7-Day Spell Validation Window

Spark StarGuard (0x6605aa12…E45E) is warded on SubProxy and enforces maxDelay of 7 days for whitelisted proxy spells, adding a validation layer between Sky executive approval and SubProxy execution.

on-chain RPCStarGuard maxDelay()=604800 seconds; subProxy()=0x3300f198988e4C9C63F75dF86De36421f06af8c4
Sky executive voteStarGuard initialized for Spark with cfg.maxDelay: 7 days
infoStructured Off-Chain Governance with Risk Council

Spark operates a weekly governance cycle with Spark Risk Council review, Operational Facilitator verification, and Snapshot voting (>50% approval). Proposals require 1% SPK (100M tokens) or nested contributor status. This provides process rigor but remains off-chain and non-binding until Sky spells execute.

protocol docsWeekly cycle: SRC review (1 week), Operational Facilitator approval, Snapshot voting >50%, then Atlas update and Spark Spell execution

Governance Checklist

On-chain token voting (direct execution)SPK Snapshot is signaling only; execution via Sky spells
Multisig (not EOA) for operational controlsSparkLend Freezer 3/5, ALM Freezer 2/4 Gnosis Safes
Timelock on governance actionsSubProxy has no delay; StarGuard 7d max; L2 executors have grace periods
Cross-chain governance parityArbitrum Executor unverified; bridge-dependent relays
Parent ecosystem oversight (Sky Atlas)Sky Pause Proxy + StarGuard warded on SubProxy
Emergency admin separationSubProxy holds EMERGENCY_ADMIN; ALM Freezer holds FREEZER role

Key Governance Entities

SubProxy (SparkDAO Executive)ethereumSPARK_SUBPROXY
StarGuardethereumSPARK_STARGUARD
Gnosis SafeethereumSparkLend Freezer Multisig
Gnosis SafeethereumALM Freezer Multisig
L2 Governance RelayarbitrumSky Gov Relay (Arbitrum)
L2 Governance RelaybaseSky Gov Relay (Base)
Bridge ExecutorgnosisAMB Bridge Executor

Governance Parameters

StarGuard Max Delay
7days
SparkLend Freezer Threshold
3/5
ALM Freezer Threshold
2/4
Gnosis Executor Grace Period
3days
Optimism Executor Grace Period
7days
SPK Governance Type
Snapshot signaling

Operational Multisig Signers

MultisigThresholdSigner Address
SparkLend Freezer3/50x8a714da4cd3ad43442a092227db52860329e0742
SparkLend Freezer3/50x3126c94c032a1d9be9294cf5be2da99255b00cc8
SparkLend Freezer3/50xcff27a5979f423f2fe073e22fec07050b157f656
SparkLend Freezer3/50x8541ccfc6e7eacebd233c6789a0fbf7c708b0e68
SparkLend Freezer3/50x52a8305f29f85bec5fa6ee78b87ddd2218d8e12e
ALM Freezer2/40x52a8305f29f85bec5fa6ee78b87ddd2218d8e12e
ALM Freezer2/40x3126c94c032a1d9be9294cf5be2da99255b00cc8
ALM Freezer2/40x8541ccfc6e7eacebd233c6789a0fbf7c708b0e68
ALM Freezer2/40xacd204885e9ea069c1cd3e4b12a75ce478de6f1d
Loading dependency graph…

Analysis History

#1completed4.915d agocurrent