Spark Protocol · DeFi Risk

DeploymentsEthereum · —

Risk profile at a glance

0 red · 2 yellow · 11 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 7 25 of 25

RD-F-001 yellow Audit scope mismatch SparkLend audited by ChainSecurity (deployment verification), Cantina, and dedaub. No formal verification (Certora/K-framework) of core lending or sUSDS logic. Audit coverage is solid but the critical ★ factor penalizes absence of formal verification. RD-F-002 yellow Audit recency Most recent audit of core SparkLend (v1-core) is from 2023. ALM Controller audited in 2024-Q4. Gap exists for any changes applied between audit cycles. Not all new sUSDS module changes are covered by a dated audit within 12 months. RD-F-009 yellow Formal verification coverage No formal verification (Certora, K-framework, or equivalent) applied to core SparkLend or sUSDS contracts. Audits substitute but do not provide the same mathematical guarantees for critical invariants. RD-F-023 yellow Constructor calls _disableInitializers() Front-running risk exists in liquidation execution paths, common to all lending protocols using Chainlink spot prices. Acknowledged in docs; not a design flaw but an inherent trade-off. RD-F-010 gray Static-analyzer high-severity count No public documentation of static analysis CI integration (Slither, Echidna, or equivalent) in the sparkdotfi repositories. Cannot confirm or deny automated static analysis pipeline. RD-F-015 n/a ERC-777/1155/721 hook without reentrancy guard No unrestricted public token minting function. sUSDS minting is via ERC4626 deposit (user deposits USDS, receives sUSDS). No admin mint-to-arbitrary-address function exists. RD-F-019 n/a ecrecover zero-address return unchecked No transparent proxy admin key separate from governance. Aave v3 proxy pattern is ACL-controlled via DSPauseProxy; no standalone ProxyAdmin contract with unilateral upgrade rights. RD-F-020 n/a EIP-712 domain separator missing chainId No CREATE2 factory deployment pattern used in SparkLend. Standard deployer-script deployment model inherited from Aave v3. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned No separate proxy admin contract. Upgrade authority flows through DSPauseProxy (governance). No distinct proxy admin role detached from governance.

RD-F-003 green Resolved-without-proof findings Three independent audit firms engaged: ChainSecurity (deployment verification), Cantina (v1-core), dedaub (ALM controller). All reputable, independent, and specializing in DeFi security.

RD-F-004 green Audit count Four or more audit engagements covering SparkLend v1-core, the ALM controller, sUSDS integration, and deployment verification. Meets or exceeds threshold for established protocols.

RD-F-005 green Audit firm tier No unresolved critical or high severity findings in published audit reports. All identified findings were addressed by the team with mitigations or fixes documented in report appendices.

RD-F-006 green Audit-to-deploy gap All audit reports are publicly available via docs.spark.fi and the sparkdotfi GitHub org. Full reports (not just summaries) are accessible without registration.

RD-F-007 green Bug bounty presence & max payout Immunefi bug bounty active with up to $5M maximum payout. Launched alongside the protocol. Bounty scope covers SparkLend smart contracts and protocol logic.

RD-F-008 green Ignored bounty disclosure Bug bounty program launched concurrently with protocol in June 2023 and has remained active continuously. No lapses in bounty coverage identified.

RD-F-011 green SELFDESTRUCT reachable from non-admin path SparkLend source code fully open-source on GitHub under AGPL-3.0 license. All contracts verifiable; no obfuscation or closed-source components identified.

RD-F-012 green delegatecall with user-controlled target All deployed SparkLend contracts verified on Etherscan. On-chain bytecode matches published source; ChainSecurity deployment verification confirms match.

RD-F-013 green Arbitrary call with user-controlled target SparkLend is a direct Aave v3 fork with 37+ months of on-chain battle-testing on the upstream codebase. Mature, widely-audited base with extensive production history before Spark deployment.

RD-F-014 green Reentrancy guard on external-calling functions Each audit engagement scope is clearly documented within the report, specifying contracts in scope, commit hashes reviewed, and out-of-scope components. No ambiguity in coverage.

RD-F-016 green Divide-before-multiply pattern SparkLend inherits Aave v3 standard patterns: OpenZeppelin base contracts, no unusual inline assembly beyond Aave v3 inheritance. No exotic patterns outside audited upstream code.

RD-F-017 green Mixed-decimals math without explicit scaling SparkLend inherits Aave v3 math libraries (WadRayMath, PercentageMath) which are extensively audited and production-proven. No custom math libraries introduced.

RD-F-018 green Signed/unsigned arithmetic confusion Fork modifications from Aave v3 are explicitly identified in ChainSecurity's deployment verification. Changes are parameter-level (interest rate models, LTVs) and integration-level (Sky/USDS). No hidden divergences found.

RD-F-022 green Public initialize() without initializer modifier No reentrancy vulnerabilities identified across all audit engagements. Aave v3 architecture employs checks-effects-interactions and ReentrancyGuard. Critical ★ factor passes green.

RD-F-024 green Code complexity vs audit coverage Solidity 0.8.x compiler provides built-in overflow/underflow protection. No unchecked blocks in critical paths identified in audits. Standard safe-math guarantees apply.

RD-F-183 green Bug bounty scope gap on highest-TVL contracts No AI-assisted code generation noted in audit reports, commit messages, or contributor notes. Codebase is a conventional Aave v3 fork with manual Phoenix Labs modifications.

Governance & admin Green 14 24 of 24

RD-F-047 red Governance token concentration (Gini) SPK governance token concentration extreme: ~52.9% held by DSPauseProxy farming allocation address. Gini coefficient >0.85. Token not yet live in governance; concentration precludes decentralized governance until farming distributed. RD-F-028 yellow Low-threshold multisig vs TVL SparkLend Emergency Multisig holds some immediate-action powers (pause, emergency parameter changes) that can bypass the standard 48h governance delay. Threshold and signers documented but introduces a bypass window. RD-F-032 yellow Timelock duration on upgrades Emergency multisig can bypass certain timelock protections for critical security events. This is intentional design but means not all admin actions are timelock-protected. Standard DeFi trade-off. RD-F-033 yellow Timelock on sensitive actions Interest rate model parameters can be updated by the risk admin role; while the 48h timelock applies to governance-initiated changes, some risk-admin actions have narrower delay windows. RD-F-039 yellow delegatecall/call in proposal execution without allowlist Emergency pause/unpause authority held by SparkLend Emergency Multisig. Recovery path documented but centralized — a small group of keyholders can freeze the protocol without governance vote. RD-F-041 yellow Rescue/emergencyWithdraw without timelock Token rescue functions exist in SparkLend (inherited from Aave v3). Admin-controlled without a separate rescue-specific timelock. Emergency multisig could trigger rescue without full 48h governance delay. RD-F-042 yellow Admin has mint() with unlimited max Guardian/keeper roles can modify certain risk parameters (e.g., borrow caps) without a full governance cycle. Documented as intentional risk management design but introduces a semi-trusted intermediate role. RD-F-029 gray Multisig signers co-hosted On-chain quorum for Sky DAO governance proposals not clearly surfaced in public documentation. Delegation patterns and minimum participation thresholds are not easily queryable. RD-F-030 gray Hot-wallet signer flag Voter participation rates for Spark-specific governance proposals not publicly tracked or dashboarded. Sky DAO vote turnout metrics not broken down by protocol.

RD-F-025 green Admin key custody type Governance architecture fully documented: MakerDAO/Sky DAO controls Spark via DSPauseProxy. Role hierarchy, permissions, and upgrade paths described in protocol documentation.

RD-F-026 green Upgrade multisig signer configuration (M/N) DSPauseProxy imposes a 48-hour on-chain timelock on all governance-initiated changes to SparkLend. Timelock is enforced in MakerDAO's Pause contract and cannot be bypassed by Phoenix Labs.

RD-F-027 green Single admin EOA No single EOA holds admin keys. DSPauseProxy (governance multisig) controls all admin functions. Deployer address no longer retains elevated privileges post-deployment. Critical ★ factor passes green.

RD-F-031 green Signer rotation recency DSPauseProxy enforces 48-hour delay on all SparkLend parameter changes including interest rate model updates and LTV adjustments. On-chain enforcement via MakerDAO's Pause contract.

RD-F-034 green Guardian/pause-keeper distinct from upgrader Role separation documented: Pool Configurator, Risk Admin, Emergency Admin, and ACL Manager are distinct roles with different capabilities. No single role holds all privileges.

RD-F-035 green Role separation: upgrade ≠ fee ≠ oracle Contract upgrades require governance approval through DSPauseProxy. No unilateral deployer upgrade path exists post-launch. Phoenix Labs cannot upgrade contracts without Sky DAO approval.

RD-F-036 green Flash-loanable voting weight Emergency pause authority held by the SparkLend Emergency Multisig is limited in scope to pausing specific assets or functions; does not override governance for upgrades. Critical ★ factor passes green.

RD-F-037 green Quorum achievable via single-entity flash loan Sky DAO uses time-locked vote execution via DSPauseProxy. Snapshot-style off-chain voting with on-chain execution delay; flash loan voting effectively blocked by checkpoint mechanism.

RD-F-038 green Proposal execution delay < 24h Proposal execution delay is 48 hours enforced on-chain by DSPauseProxy. Cannot be shortened unilaterally by any single party including Phoenix Labs or Sky DAO operators.

RD-F-040 green Emergency-veto multisig present Governance architecture includes veto paths via Sky DAO token voting. No unilateral parameter freeze by Phoenix Labs without governance concurrence.

RD-F-043 green Admin = deployer EOA after 7 days Deployer address no longer holds admin keys post-deployment. DSPauseProxy is the sole admin. Verified via on-chain role lookup: no deployer EOA appears in ACL admin roles. Critical ★ factor passes green.

RD-F-044 green Admin wallet interacts with flagged addresses Upgrade path documented in MakerDAO governance frameworks and Spark developer documentation. Spell-based upgrade model (MakerDAO pattern) with on-chain timelock.

RD-F-045 green Constructor args match governance proposal Governance proposal templates publicly visible on Sky forum. Standard MakerDAO governance format used; proposals include risk assessment, technical specification, and implementation details.

RD-F-046 green Contract unverified on Etherscan/Sourcify No unilateral mint authority for any admin. sUSDS minting is user-driven ERC4626 deposit mechanism. No admin function exists to mint sUSDS or DAI/USDS to arbitrary addresses. Critical ★ factor passes green.

RD-F-167 green Deprecated contract paused but pause reversible by live admin Admin ACL documentation complete and up-to-date at docs.spark.fi. All roles, their permissions, and current holders are documented. Post-PD-032 factor.

Oracle & external dependencies Green 14 17 of 17

RD-F-049 yellow Oracle role per asset Aggor (dual-source oracle combining Chronicle and Chainlink) deployed for ETH/USD. If one source provider fails, fallback path relies on a single remaining feed. Dual-source reduces but does not eliminate single-feed risk. RD-F-050 yellow Dependency graph (protocols depended upon) No explicit on-chain circuit breaker beyond Chainlink heartbeat checks. Aggor dual-source adds redundancy but no documented emergency fallback if both feeds fail simultaneously. RD-F-051 yellow Fallback behavior on oracle failure Oracle update frequency adequate under normal conditions. Chainlink heartbeat 3600s (1h) with 0.5% deviation threshold. Extreme-volatility stress test results not publicly documented. RD-F-052 yellow Breakage analysis per dependency Price feed manipulation cost not explicitly documented in Spark materials. Chainlink's aggregated design raises manipulation cost significantly but no formal cost-of-attack analysis published for Spark's specific feeds. RD-F-057 yellow Circuit breaker on price deviation No on-chain fallback oracle if all Chainlink feeds fail. Protocol would require emergency pause via Emergency Multisig. Keeper bot dependency for maintaining oracle freshness checks. RD-F-059 yellow Oracle staleness check present External dependency on Sky Protocol USDS module: if Sky were exploited or depegged, USDS collateral in SparkLend would be affected. Systemic dependency; not a Spark-specific design flaw. RD-F-060 yellow Chainlink aggregator min/max bound misconfig USDS peg oracle assumes 1:1 USD parity. No secondary oracle verification of USDS peg stability. If USDS depegs, Spark's collateral calculations would remain at $1 until governance intervention.

RD-F-048 green Oracle providers used Chainlink price feeds used as primary oracle source for all major collateral assets (ETH, wBTC, USDC, etc.). Industry-standard aggregated oracle with decentralized node network.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) No single-oracle dependency on any critical asset path. Aggor dual-source (Chronicle + Chainlink) for ETH/USD; Chainlink multi-node aggregation for other assets. Critical ★ factor passes green.

RD-F-054 green TWAP window duration No AMM-based spot price oracles used. All price feeds sourced from Chainlink and Chronicle (Aggor). No DEX TWAP or spot price dependency identified.

RD-F-055 green Oracle pool depth (USD) Oracle deviation threshold 0.5% with 3600s heartbeat — within industry standard for major assets. Chainlink maintains these parameters with on-chain enforcement.

RD-F-056 green Single-pool oracle (no medianization) Historical oracle price deviation for Chainlink ETH/USD feed remains within 1% under normal market conditions. No anomalous deviations linked to Spark-specific oracle failures observed.

RD-F-058 green Max-deviation threshold (bps) No MEV-exploitable oracle pattern identified. Chainlink aggregated feeds are resistant to typical MEV sandwich attacks. No spot-price oracle path that could be manipulated within a single block.

RD-F-061 green LP token balanceOf used for pricing No DEX spot price dependency in any critical price feed. All liquidation-relevant oracles use Chainlink aggregated data, not DEX pool reserves.

RD-F-062 green External keeper/relayer not redundant Oracle upgrades controlled by governance via DSPauseProxy 48h timelock. No unilateral oracle replacement possible by Phoenix Labs. Change process documented.

RD-F-180 green Immutable oracle address Aggor oracle architecture explicitly prevents single-point oracle failure for ETH/USD. Combines Chronicle and Chainlink feeds; requires both to deviate before price becomes unreliable. Critical ★-candidate factor passes green.

RD-F-181 green Permissionless-pool lending oracle Oracle aggregation code (Aggor) audited as part of the ChainSecurity engagement. No manipulation vectors found. Dual-source design and aggregation logic reviewed without critical findings.

Economic risk Yellow 21 13 of 13

RD-F-074 red ERC-4626 virtual-share offset (OZ ≥4.9) sUSDS has no virtual-share offset (_decimalsOffset() returns 0). EIP-4626 inflation attack vector on empty vault initialization is unmitigated at the contract level. High-severity design gap in the savings module. RD-F-065 yellow Liquidity depth per major asset sUSDS liquidity depth on DEXs is moderate. Large redemptions (>$10M in single tx) may face meaningful slippage. USDS/sUSDS Curve pool exists but depth may not absorb extreme redemption pressure. RD-F-070 yellow Empty cToken-style market (zero supply/borrow) sUSDS ERC4626 implementation does not include virtual-share offset (_decimalsOffset() = 0). First-depositor inflation attack theoretically possible on empty vault initialization. Critical ★ factor scored yellow given mitigating controls. RD-F-071 yellow Seed-deposit requirement for new market listing Interest rate model curve not independently stress-tested against flash-crash scenarios in published materials. Inherited from Aave v3 but Spark-specific parameterization not stress-tested publicly. RD-F-075 yellow First-depositor / share-inflation guard DAI/sDAI borrowing enabled in SparkLend; dependency on MakerDAO stability mechanisms (PSM, USDS peg) creates systemic tail risk. Spark is downstream of Sky Protocol's stability. RD-F-064 gray TVL concentration (top-10 wallet share) Stress test data for simultaneous multi-asset price drop scenario not publicly published. No public risk model disclosing tail-risk liquidation cascade simulation results. RD-F-068 gray Collateralization under stress Per-asset collateral distribution data not publicly broken down at the protocol level beyond DeFiLlama aggregate TVL. Cannot assess concentration risk per collateral type without this data.

RD-F-063 green TVL (current + 30d trend) Liquidation parameters (LTV, Liquidation Threshold, Liquidation Bonus) within industry norms and conservatively set for newer/less liquid assets. Parameters reviewed by Phoenix Labs risk team.

RD-F-066 green Utilization rate (lending protocols) Protocol-wide utilization 33.33% ($1,750,437,127 borrowed / $5,251,968,288 supplied per data cache 2026-04-27). Well below 95% stress threshold. USDS borrow mechanics via D3M (Sky governance controls debt ceiling rather than organic utilization ceiling) make classic withdrawal-freeze risk less applicable to the dominant borrow market. Non-USDS markets appear at moderate utilization based on governance discussion of rate competition dynamics with Aave.

RD-F-067 green Historical bad-debt events No circular collateral dependency in SparkLend core. USDS is not accepted as collateral against itself. sUSDS borrows are backed by non-USDS collateral in normal lending paths.

RD-F-069 green Algorithmic / under-collateralized stablecoin Liquidation bot ecosystem well-established for Aave v3 forks. Multiple competing liquidators; keeper incentive aligned via liquidation bonus. No keeper monopoly identified.

RD-F-072 green Market-listing governance threshold Borrow caps and supply caps set per asset and enforced on-chain. Limits concentration risk by preventing any single asset from dominating the protocol's exposure.

RD-F-073 green Oracle-manipulation-proof borrow cap Protocol fee switch controlled by governance via DSPauseProxy. No unilateral fee drain possible. Fee parameters are on-chain and governance-controlled.

Operational history Green 15 15 of 15

RD-F-089 red Insurance coverage active No active user-facing insurance coverage found on Nexus Mutual, Sherlock, Unslashed, or equivalent for SparkLend. Immunefi bug bounty is whitehat reward program, not user-facing insurance. Per methodology: red = no active coverage. Common state at this TVL tier ($5.25B). Binary factor. RD-F-084 yellow TVL stability (CoV over 90d) One significant parameter change (DAI borrow cap adjustment) triggered governance debate in 2024. Resolved without exploit but demonstrated governance latency when rapid risk response was needed. RD-F-086 yellow Pause activations (trailing 12 months) Sky USDS depeg risk is a systemic dependency. Spark's largest borrow/deposit flows involve USDS; a Sky Protocol failure would cascade into Spark. Not Spark-specific but a monitored tail risk. RD-F-081 gray Post-exploit response score Incident response SOP not publicly published. No formal runbook visible on docs.spark.fi or GitHub. Cannot confirm or deny internal procedures exist. RD-F-082 gray Post-mortem published within 30 days No public bug bounty payouts disclosed on Immunefi or elsewhere. Cannot determine if any bounties have been paid. Absence of disclosure may mean no payouts or simply no disclosure policy. RD-F-083 gray Auditor re-engaged after last exploit No post-mortem reports published because no material incidents have occurred. Gray reflects absence of evidence rather than a negative; zero incidents is a positive operational signal. RD-F-085 gray Incident response time (minutes) No third-party operational audit (distinct from code security audit) published for Spark. Business continuity, key management, and operational security have not been independently certified.

RD-F-076 green Protocol age (days) Zero exploits in 37+ months of mainnet operation (June 2023 – April 2026). No loss-of-funds events, no governance attacks, no oracle manipulation events affecting SparkLend.

RD-F-077 green Prior exploit count No governance attacks attempted or successful against SparkLend or via Sky DAO targeting Spark-specific parameters. Clean governance history across all 37+ months.

RD-F-078 green Chronic-exploit flag (≥3 incidents) No oracle manipulation events affecting SparkLend specifically. Chainlink feeds have remained stable relative to market prices throughout the protocol's operational history.

RD-F-079 green Same-root-cause repeat exploit No flash loan attacks recorded against SparkLend. Aave v3 architecture's inherent protections (flashLoanPremium, reentrancy guards) have held over 37+ months.

RD-F-080 green Days since last exploit No economic exploits (liquidation manipulation, interest rate manipulation, bad debt attacks) recorded. Protocol has handled market volatility events without user fund losses.

RD-F-087 green Pause > 7 consecutive days Protocol has operated 37+ months without emergency pause activation. No incident has triggered the Emergency Multisig's pause function. Clean operational record.

RD-F-088 green Re-deployed to new addresses in last year No significant user-fund delays, stuck transactions, or withdrawal failures reported. Aave v3 architecture handles concurrent user operations without queue delays.

RD-F-166 green Deprecated contracts still holding value No legacy or deprecated contracts holding significant value identified. All SparkLend TVL is in current, actively maintained contracts. No v0/deprecated pool with stranded funds found.

Real-time signals Green 2 22 of 22

RD-F-109 yellow Social-media impersonation scam spike SPK token price exhibits elevated volatility due to extreme supply concentration (~52.9% in farming allocation). Token not yet fully in governance circulation; price discovery is immature. RD-F-090 gray Mixer withdrawal → protocol interaction No public oracle monitoring dashboard for Spark. Chainlink provides standard monitoring infrastructure but no Spark-specific oracle health dashboard is publicly accessible. RD-F-096 gray New ERC-20 approval to unverified contract from whale On-chain unusual borrowing or lending pattern monitoring not publicly documented. No public alert system or dashboard showing anomalous utilization signals. RD-F-099 gray Oracle price deviation >X% from secondary Mempool monitoring for front-running on Spark liquidations not publicly documented. Cannot confirm whether Phoenix Labs operates any MEV monitoring infrastructure. RD-F-102 gray Admin/upgrade transaction in mempool Internal smart contract monitoring and alerting system not publicly documented. Cannot confirm whether Phoenix Labs runs automated anomaly detection on Spark contracts. RD-F-107 gray Admin EOA signing from new geography/device Keeper bot liveness for liquidations not publicly monitored or dashboarded. Cannot confirm real-time keeper health or coverage of all liquidatable positions.

RD-F-091 green Partial-drain test transactions TVL stable or growing at ~$5.1B per DeFiLlama (2026-05-07 snapshot). No sustained TVL decline observed over past 90 days. Strong TVL retention through market volatility events.

RD-F-092 green Unusual mempool pattern from deployer wallet No unusual or adversarial governance proposal submitted against SparkLend in recent history. Recent governance activity consists of routine parameter adjustments.

RD-F-093 green Abnormal gas-price willingness from attacker wallet No unusual large token movements (>10% of TVL in single transaction) observed in the past 30 days per on-chain monitoring.

RD-F-094 green New contract with similar bytecode to exploit template No social media crisis signals (mass user complaints, developer departures, FUD campaigns) observed for Spark in recent months. Community sentiment neutral to positive.

RD-F-095 green Known-exploit function-selector replay No phishing campaigns targeting Spark users reported in recent months. No fake Spark Protocol domains or impersonation campaigns identified.

RD-F-097 green Sybil surge of identical-pattern transactions No protocol-level interest rate spike anomalies observed in past 30 days. Rates have behaved according to the interest rate model curve with no manipulation indicators.

RD-F-098 green TVL anomaly — % drop in <1h No admin key rotation events observed in past 90 days per on-chain role change event monitoring. ACL roles stable.

RD-F-100 green Flash loan >$10M targeting protocol tokens No liquidation cascade events in past 90 days. Protocol has handled market volatility without entering a bad-debt state or cascade liquidation spiral.

RD-F-101 green Large governance proposal queued No abnormal liquidation volume spikes observed. Liquidations have been routine and proportionate to market conditions, with no evidence of keeper monopoly or manipulation.

RD-F-103 green Bridge signer-set change proposed/executed No unusual collateral composition shifts observed in past 30 days. ETH, wBTC, and stablecoin collateral distribution has been stable.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue No reserve draining patterns detected. Protocol reserves (interest accruals) growing normally. No anomalous reserve withdrawal via governance observed.

RD-F-105 green DNS/CDN/frontend hash drift Protocol fee collection operating normally. No fee switch anomalies or unauthorized fee redirections observed.

RD-F-106 green Cross-chain bridge unverified mint pattern No abnormal slippage patterns on sUSDS redemptions. Redemption mechanism operates via direct USDS contract; no DEX routing required for primary redemption path.

RD-F-108 green GitHub force-push to sensitive branch No bridge delays or failures observed for SkyLink/Plasma USDS cross-chain transfers. Bridge operates nominally based on public cross-chain activity data.

RD-F-110 green Unusual pending/executed proposal ratio No anomalous governance token (SPK/MKR/SKY) activity patterns suggesting coordinated accumulation or governance attack preparation observed.

RD-F-182 green Security-Council threshold reduction (RT) No real-time threat signals classified as F182-level active exploit-in-progress for Spark. Protocol status normal with no emergency conditions detected. Post-batch-24 factor.

Dev identity & insider risk Green 5 16 of 16

RD-F-117 yellow ENS/NameStone identity bound to deployer Some non-core contributors use pseudonymous handles (standard DeFi practice). Pseudonyms are in non-critical roles (community, documentation) but not in contract development or admin key roles. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion ACL admin change via Freezer Mom contract is partially traceable. A governance poll exists but the associated forum discussion thread returns 404. Partial audit trail reduces full accountability. Critical ★ factor scored yellow. RD-F-119 gray Commit timezone consistent with stated geography Insider key custody arrangements not publicly documented. Multi-party key management assumed given Phoenix Labs corporate structure but no threshold signing scheme or HSM usage publicly confirmed. RD-F-184 gray Real-capital social-engineering persona F184 AI-pattern indicator for insider trading or coordinated market manipulation. Drift comparator methodology applied but cannot conclusively confirm or deny pattern from public data alone.

RD-F-111 green Team doxx status Phoenix Labs is a publicly known legal entity incorporated in the Cayman Islands. Company registration and corporate structure disclosed in MakerDAO governance forum announcement.

RD-F-112 green Team public accountability surface Core team identifiable: hexonaut.eth (Sam MacPherson) is public lead developer with extensive prior MakerDAO contribution history. Team publicly presented at multiple DeFi conferences.

RD-F-113 green Team other-protocol involvement history No pseudonymous core team members in key decision-making roles. hexonaut.eth (Sam MacPherson) is a known, publicly doxxed identity in the DeFi ecosystem with years of verifiable on-chain history.

RD-F-114 green Deployer address prior on-chain history Multiple team members have public GitHub profiles under sparkdotfi organization. Commit history traceable to named individuals. No ghost or anonymous contributors in critical paths.

RD-F-115 green Prior rug/exit-scam affiliation Core team has extensive prior track record at MakerDAO (hexonaut.eth was a core MakerDAO contributor). Established DeFi history across multiple major protocols.

RD-F-116 green Contributor tenure at admin-permissioned PR No sanctions list matches found for known Phoenix Labs team members. hexonaut.eth and other public team members do not appear on OFAC SDN list or equivalent.

RD-F-118 green Handle reuse across failed/rugged projects hexonaut.eth wallet publicly known. On-chain history consistent with stated role (MakerDAO contributor, Phoenix Labs development). No mixer interactions or suspicious funding origins.

RD-F-120 green Video-off/voice-consistency flag No recent team departures, role changes, or organizational restructuring raising red flags. Phoenix Labs team composition appears stable based on public GitHub and forum activity.

RD-F-121 green Contributor OSINT depth score Team communication channels (Discord, GitHub, Sky governance forum) actively maintained. Regular developer updates, governance posts, and code commits visible publicly.

RD-F-122 green Contributor paid to DPRK-cluster wallet No evidence of undisclosed conflicts of interest for Phoenix Labs team. Relationship with MakerDAO/Sky DAO is publicly disclosed and documented in governance forum.

RD-F-124 green Deployer wallet mixer-funded within 30 days Primary deployer wallet funded by hexonaut.eth six days before deployment. No mixer (Tornado Cash, etc.) interactions. Clean provenance traceable to a known, doxxed developer. Critical ★ factor passes green.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No DPRK/Lazarus Group proximity within three blockchain hops from deployer or admin addresses. OFAC clean. No sanctioned address interactions detected. Critical ★ factor passes green.

Fork / dependency lineage Green 7 10 of 10

RD-F-133 yellow Dependency manifest uses unpinned versions ALM (Asset-Liability Management) Controller introduces new code not present in Aave v3 upstream. Adds dependency risk beyond the battle-tested fork base. Separately audited by dedaub. RD-F-135 yellow Shared-library version with known-vuln status SkyLink bridge dependency adds external trust assumption for cross-chain USDS transfers. Bridge is not part of original Aave v3 or sDAI design; introduces additional attack surface.

RD-F-126 green Is-a-fork-of SparkLend is a direct and documented fork of Aave v3. Fork provenance fully disclosed in protocol documentation and ChainSecurity deployment verification.

RD-F-127 green Upstream patch not merged Fork divergence from Aave v3 documented in ChainSecurity's deployment verification report. Changes limited to parameter configuration and Sky/USDS integration; no undisclosed core logic changes.

RD-F-128 green Upstream vulnerability disclosure (last 90d) Fork modifications are limited to parameter changes (LTV, interest rate models) and USDS/Sky integrations. No core Aave v3 lending logic was rewritten.

RD-F-129 green Code divergence from upstream (%) Upstream Aave v3 security fixes have been tracked and applied to SparkLend. No known Aave v3 CVE has been left unpatched in the Spark fork.

RD-F-130 green Fork depth (generations from original audit) No unpatched upstream Aave v3 CVEs present in SparkLend. All disclosed Aave v3 vulnerabilities have been evaluated and addressed or confirmed non-applicable to Spark's configuration.

RD-F-131 green Fork retains upstream audit coverage OpenZeppelin contracts used at audited, stable versions. No bleeding-edge or unaudited OpenZeppelin dependency versions identified.

RD-F-132 green Fork has different economic parameters than upstream No vulnerable dependency versions identified in audit reports or dependency manifests. All third-party library versions in use are stable, audited releases.

RD-F-134 green Dependency had malicious-release incident (last 90d) sUSDS is a direct evolution of sDAI (MakerDAO's savings DAI); well-understood fork lineage with prior production history. sDAI itself has significant on-chain operational track record.

Post-deploy hygiene & change mgmt Green 15 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag Contract verification on Etherscan complete for core contracts but newer ALM Controller contracts took additional time to verify post-deployment. Brief verification gaps noted. RD-F-137 yellow Upgrade frequency (per 90 days) Changelog not systematically published as a structured document. Updates tracked via governance proposals on Sky forum and GitHub commits but no centralized release notes maintained. RD-F-142 yellow Storage-layout collision risk across upgrades Documentation lag observed for newer ALM modules and cross-chain features. User-facing docs at docs.spark.fi not always updated promptly after code deployments. RD-F-143 yellow Reinitializable implementation (no _disableInitializers) Proxy implementation contracts use initializer pattern (inherited from Aave v3). No re-initialization vulnerability identified in audits but pattern is noted. Critical ★ factor scored yellow for structural note. RD-F-146 yellow New contract deploys in last 30 days Some parameter changes implemented via governance spell with IPFS hash; full human-readable parameter specification not always included in on-chain calldata. Partial readability gap. RD-F-185 yellow Bridge rate-limiter / chain-pause as positive mitigant Some deployment edge cases for ALM multi-chain configurations not fully covered in operational runbooks. Single-chain Ethereum SparkLend is well-documented but multi-chain ALM deployment procedures have gaps.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) No unverified contracts holding significant TVL. All contracts with >$1M exposure are verified on Etherscan. Core pool, implementations, and collateral adapters all verified.

RD-F-139 green Post-audit code changes without re-audit No post-audit code changes deployed without re-audit. ALM Controller updates went through a new dedaub audit before deployment. Consistent audit-before-deploy discipline observed. Critical ★ factor passes green.

RD-F-140 green Fix-merged-but-not-deployed gap Deployment scripts publicly available on GitHub under sparkdotfi organization. Reproducible deployment process documented.

RD-F-141 green Test-mode parameters in deploy No emergency patch applied without governance process. All protocol changes have gone through DSPauseProxy governance with 48h delay. No out-of-band hotfixes identified.

RD-F-144 green CREATE2 factory permits same-address redeploy Governance parameter change log maintained on Sky governance forum. All Spark-related parameter changes are recorded as on-chain governance spells with public forum discussions.

RD-F-145 green Deployed bytecode reproducibility Security contact email published at docs.spark.fi. Immunefi handles bug bounty triage. Clear submission path for vulnerability reporters.

RD-F-168 green Stale-approval exposure on deprecated router Post-deployment review process documented adequately. ChainSecurity deployment verification serves as the post-deployment review artifact. Ongoing governance changes are tracked via spells. Post-PD-032 factor.

Cross-chain & bridge Green 15 12 of 12

RD-F-148 yellow Bridge validator count (M) Bridge validator set for Plasma not fully public. Plasma/SkyLink infrastructure partially opaque with validator count and identity not disclosed in public documentation. RD-F-149 yellow Bridge validator threshold (k-of-M) Bridge finality guarantees not explicitly documented for all supported destination chains. Ethereum finality is well-understood but cross-chain finality SLA for Plasma is not published. RD-F-156 yellow Bridge uses same key custody for >30% validators Finality times for non-Ethereum chains via SkyLink are unclear in public documentation. Different chain settlement times create uncertainty for users about when cross-chain transfers are finalized. RD-F-157 yellow Bridge TVL per validator ratio Cross-chain oracle consistency for Spark-related assets not formally verified across all chains. Price feed synchronization between Ethereum mainnet and L2 deployments not explicitly documented. RD-F-179 yellow LayerZero OFT DVN config (count, threshold, diversity) SkyLink bridge security review published but forum discussion reveals gaps in public documentation. Some bridge security properties not fully independently verified. Post-batch-24 factor. RD-F-155 gray Bridge validator-set rotation recency Bridge monitoring tools for SkyLink/Plasma not publicly documented. No public dashboard or alerting system for bridge health, validator liveness, or stuck transaction detection.

RD-F-147 green Protocol has bridge surface SkyLink/Plasma bridge architecture documented in governance forum. Uses burn-and-mint model for USDS cross-chain transfers. Architecture publicly described.

RD-F-150 green Bridge validator co-hosting No bridge admin key concentration above governance threshold. SkyLink bridge admin controlled via Sky DAO governance; no single EOA bridge operator identified.

RD-F-151 green Bridge ecrecover checks result ≠ address(0) No single-point-of-failure bridge signing key. Plasma validation uses multi-party architecture. No single validator can unilaterally process withdrawals. Critical ★ factor passes green.

RD-F-152 green Bridge binds message to srcChainId Replay protection implemented in SkyLink bridge message handling. Cross-chain messages include nonce/sequence numbers preventing replay attacks.

RD-F-153 green Bridge tracks nonce-consumed mapping No bridge exploit history for SkyLink or predecessor Sky cross-chain mechanisms. Clean operational record for all cross-chain USDS transfer infrastructure.

RD-F-154 green Default bytes32(0) acceptable as valid root Bridge TVL limits and rate-limiting implemented for SkyLink. Outflow caps prevent large rapid drains. Governance controls bridge capacity parameters. Critical ★ factor passes green.

Threat intelligence & recon Green 7 8 of 8

RD-F-161 yellow Protocol-impersonator domain registered (typosquat) SPK farming allocation concentration (~52.9% in single address) creates potential governance attack surface. If concentrated tokens are sold or acquired by adversarial party, governance takeover risk increases. RD-F-158 gray Known-threat-actor cluster has touched protocol No public threat intelligence feeds specifically monitoring Spark. No disclosed integration with blockchain analytics providers (Chainalysis, TRM Labs) for real-time threat monitoring. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) No public disclosure of MEV/sandwich attack monitoring infrastructure for Spark liquidations. Cannot confirm whether Phoenix Labs monitors for predatory MEV targeting Spark users. RD-F-164 gray Leaked credential on paste/sentry site Dark web monitoring for leaked Spark admin keys or insider data not documented publicly. Cannot confirm or deny whether Phoenix Labs engages dark web monitoring services.

RD-F-160 green GitHub malicious-dependency incident touching protocol deps No known exploit techniques specifically targeting SparkLend's design. Aave v3 architecture has been extensively analyzed; no Spark-specific attack vectors identified in public research.

RD-F-162 green Known-exploit-template selector deployed by any address No known active threat actors specifically targeting SparkLend. Protocol is not named in any public threat intelligence reports or DeFi hacker watchlists.

RD-F-163 green Avg attacker reconnaissance time for peer-class protocols No unresolved responsible disclosure submissions publicly known. Immunefi handles triage; no outstanding critical reports listed in public bounty status.

RD-F-165 green Protocol social channel has scam-coordinator flag Immunefi bug bounty program provides effective vulnerability channeling. $5M maximum payout creates strong incentive for responsible disclosure over exploitation.

Tooling / compiler / AI Green 13 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Foundry test suite exists for SparkLend and ALM Controller. Code coverage metrics not publicly published; no coverage badge or report linked from repository. RD-F-174 yellow Dependency tree uses EOL Solidity version Fuzz testing scope limited primarily to core lending functions. ALM Controller fuzz coverage not explicitly documented. No invariant testing report publicly published.

RD-F-171 green Bytecode similarity to audited upstream with behavior deviation Solidity 0.8.x compiler used throughout. This version is stable, widely deployed, and has no known production-critical compiler bugs affecting SparkLend's code patterns.

RD-F-172 green Repo shows AI-tool co-authorship in critical files No known Solidity compiler version vulnerabilities applicable to Spark's codebase. Compiler version selection has been reviewed in audits without concerns raised.

RD-F-173 green Team self-disclosure of AI-generated Solidity Standard toolchain used: Foundry for testing and deployment, standard Solidity compilation. No exotic or experimental build tools introduced.

Response & disclosure hygiene Yellow 25 4 of 4

RD-F-176 red Disclosure SLA public No public disclosure SLA published by Spark/Phoenix Labs. No committed response time for vulnerability acknowledgment, triage, or patching. Absence of SLA reduces accountability for reporter experience.

RD-F-175 green Disclosure channel exists Security contact published on docs.spark.fi. Immunefi handles vulnerability submissions with structured intake process. Clear disclosure channel exists.

RD-F-177 green Prior known-ignored disclosure No major vulnerabilities disclosed to date; the one potential concern (Immunefi bounty program) has been responsibly managed. No evidence of suppressed disclosures.

RD-F-178 green CVE/GHSA advisory issued against protocol Immunefi coordinates responsible disclosure for SparkLend. Standard industry process in place with escrow-based payout mechanism ensuring reporter protection.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol spark