Spark
About
Spark is a DeFi savings and lending protocol that enables users to earn yield on stablecoins (USDC, USDT, PYUSD, USDS) and ETH through institutional-grade vaults. The platform uses the Spark Liquidity Layer to deploy capital across diversified yield strategies while maintaining instant withdrawal liquidity. It also offers borrowing markets via SparkLend for users to access liquidity against collateral assets.
Where Does Yield Come From?
Spark generates yield through its Savings V2 vaults — for example, spUSDC, spUSDT, and spETH. When you deposit into one of these vaults, 90% of the funds are sent out through the Spark Liquidity Layer (the system's capital-deployment engine) to earn returns. The other 10% stays put as instant-access cash, so you can withdraw at any time without delay.
The Spark Liquidity Layer spreads deposited capital across a carefully chosen mix of places that earn yield:
- DeFi lending protocols like SparkLend, Aave, Morpho, and Curve
- CeFi (centralized finance) partners
- Tokenized real-world assets (RWAs), such as BlackRock's BUIDL fund, Superstate, and Centrifuge
The minimum return savers can expect is anchored to the Sky Savings Rate — a baseline yield set by the protocol's governance. On top of that, extra returns may come from the way capital is allocated across different strategies. The rates paid to savers are updated by Spark's governance team as market conditions and strategy performance change.
These vaults are accumulating tokens: their value in USDC terms grows over time as yield rolls in. In other words, you don't receive separate interest payments — your vault shares simply become worth more.
How Spark earns revenue: The protocol keeps the spread (the difference) between the yield its strategies earn and the rate it pays out to savers. This spread helps fund the Sky Savings Rate.
Spark also runs a Peg Stability Module (PSM) for cross-chain liquidity. This lets users swap between stablecoins and sUSDS (a yield-bearing token) with zero slippage — meaning the trade executes at exactly the expected price — across multiple networks: Ethereum, Base, Arbitrum, Optimism, and Unichain. This service is backed by Sky's policy of keeping 25% of reserves in cash.
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
OpenZeppelin01-11-2021 |
| The audit identified two critical and three high severity issues, most of which were fixed by the Aave team; the remaining acknowledged issues represent accepted design choices that do not pose immediate security risks. |
Trail of Bits25-10-2021 - 24-11-2021 |
| The audit uncovered several high‑severity isolation‑mode and eMode flaws that were fully remediated before deployment, leaving no critical risks in the reviewed code. The remaining low‑risk and informational issues were either addressed or deemed acceptable by the Aave team. |
PeckShield22-12-2022 |
| The audit found only minor coding improvements (one low, one informational), both promptly fixed, indicating the Aave V3.0.1 codebase is well-engineered with no major security flaws. |
PeckShield10-01-2022 |
| The audit identified 11 issues (2 high, 3 medium, 4 low, 2 informational), all of which were fixed prior to deployment, indicating a robust security review and responsive remediation. |
Sigma Prime19-04-2023 |
| The audit found only minor informational issues, all resolved, indicating the Aave v3.0.1/v3.0.2 updates maintain a strong security posture with no material vulnerabilities. |
Sigma Prime23-12-2022 |
| Only minor informational findings were identified, all of which were resolved or acknowledged, indicating a secure codebase for the Aave v3.0.1 update. |
ABDK Consulting26-01-2022 |
| The audit reveals multiple critical and major vulnerabilities in the codebase, all still open, signalling that substantial remediation is required before the protocol can be considered secure for production use. |
Sigma Prime27-01-2022 |
| The audit identified three low-severity issues and nine informational findings, all of which were resolved by the development team. No critical or high-severity vulnerabilities were found, indicating a robust security posture for the Aave v3 protocol. |
ChainSecurity15-03-2024 |
| ChainSecurity's audit confirmed the safety of the Sparklend core updates, identifying no vulnerabilities in the patched flashloan disablement and public getReservesCount function. |
ChainSecurity11-12-2023 - 12-02-2025 |
| The audit reveals one critical vulnerability in the weETH oracle that could be exploited to manipulate prices, alongside a medium-risk issue with rsETH price updates; both require careful risk assessment given SparkLend's current configuration parameters. |
Cantina Managed04-02-2026 - 07-02-2026 |
| The review found only a single low-risk issue that was documented and verified as fixed, indicating a robust security posture with no critical or high-severity vulnerabilities remaining. |
ChainSecurity11-12-2023 - 12-02-2026 |
| ChainSecurity's audit found no critical vulnerabilities, with two high-severity issues resolved and one medium-severity issue remaining open; the overall security posture is considered good, though users should be aware of inherent oracle design limitations for LST/LRT assets. |
ChainSecurity10-01-2024 - 13-02-2024 |
| The audit found no critical or high-severity vulnerabilities, with all identified low-severity issues either resolved or risk-accepted, indicating a good security posture for the Sparklend Cap Automator. |
Cantina Managed02-02-2026 - 04-02-2026 |
| The review found only minor informational issues that were either acknowledged or fixed, indicating the CapAutomator codebase is secure with no critical vulnerabilities at the time of the audit. |
ChainSecurity10-01-2024 - 12-02-2024 |
| The audit found no critical or high‑severity vulnerabilities; all identified issues were either resolved or accepted as low‑risk, indicating a generally secure implementation of the SparkLend Cap Automator. |
Cantina16-10-2024 - 18-10-2024 |
| The review found only informational improvements, all of which were resolved, indicating the Spark ALM Controller codebase was secure at the time of assessment. |
Cantina Managed18-09-2024 - 19-09-2024 |
| The audit identified only one low-risk issue and six informational improvements, all of which were addressed by the Spark team. The overall security posture is solid with no critical or high-severity vulnerabilities found. |
ChainSecurity15-09-202426-09-202403-10-202407-10-202408-10-202422-10-2024 |
| The audit found no security vulnerabilities above informational severity, with all identified issues resolved during the engagement, indicating a high level of security for the Spark ALM Controller. |
Cantina Managed05-12-2024 - 10-12-2024 |
| The audit uncovered one medium-risk vulnerability and several informational issues, all of which were addressed prior to launch, indicating a thorough security review and responsible remediation by the Spark ALM Controller team. |
ChainSecurity15-09-2024 - 13-12-2024 |
| No critical or high-severity vulnerabilities were found; the remaining low-severity issues are either acknowledged or resolved, indicating a robust security posture for the Spark ALM Controller. |
Cantina Managed07-02-2026 - 09-02-2026 |
| The review found only low‑risk and informational issues, all of which were resolved or acknowledged, indicating a robust security posture for the Spark ALM Controller at the time of assessment. |
ChainSecurity30-01-2026 - 16-02-2026 |
| ChainSecurity's audit found no security issues beyond resolved informational findings, indicating the Spark ALM Controller v1.10 update maintains a secure codebase for the changes introduced. |
Cantina12-02-2025 - 17-02-2025 |
| The audit identified one medium and one low severity issue, along with five informational findings, all of which were addressed in the reviewed version. The overall security posture is satisfactory with no critical or high risks remaining. |
ChainSecurity15-09-2024 - 25-03-2025 |
| The audit revealed no critical or high-severity vulnerabilities, with all identified low-severity issues either accepted as risk or resolved, indicating robust security posture for the Spark ALM Controller across its extensive third-party integrations. |
Cantina Managed10-03-2025 - 21-03-2025 |
| The review uncovered several medium-risk issues that were promptly fixed, along with low-risk and informational findings that were addressed or acknowledged, resulting in a secure Spark ALM Controller implementation. |
ChainSecurity15-09-2024 - 03-04-2025 |
| The audit found no critical, high, or medium severity vulnerabilities, with only low-severity and informational issues identified, indicating a robust security posture for the Spark ALM Controller. Several low-risk findings were accepted by the team, reflecting appropriate risk management. |
Cantina23-07-2025 |
| The review uncovered one medium-severity vulnerability and several lower-risk issues, all of which were addressed or acknowledged, demonstrating effective remediation and a solid security posture for the Spark ALM Controller v1.5.0 release. |
ChainSecurity15-09-2024 - 11-07-2025 |
| The audit found no critical, high, or medium severity vulnerabilities, with all identified low-severity issues either resolved or acknowledged as accepted risks, indicating robust security posture for the Spark ALM Controller across its extensive DeFi integrations. |
Cantina Managed28-07-2025 - 08-08-2025 |
| The audit identified one low-risk and two informational issues, all of which were addressed; the reviewed code appears secure with no critical or high-severity vulnerabilities remaining. |
ChainSecurity18-08-2025 |
| The audit revealed only low-severity issues, with several already resolved and others acknowledged as accepted risks, indicating a robust security posture for the Spark ALM Controller after thorough review. |
Cantina26-08-2025 - 01-09-2025 |
| The review found only one low-risk issue and one informational issue, both of which were addressed, indicating a secure codebase with no major vulnerabilities remaining. |
ChainSecurity11-09-2025 |
| The audit found no critical or high-severity vulnerabilities, only low and informational issues, with most either resolved or accepted as known risks, indicating a robust security posture for the Spark ALM Controller after implemented fixes. |
Cantina Managed20-10-2025 - 22-10-2025 |
| The audit identified one low-risk issue and seven informational findings, all of which were resolved or acknowledged by the Spark team. The code review concluded that no critical or high-severity vulnerabilities remain, indicating a robust security posture for the Spark ALM Controller v1.8. |
| The audit revealed two medium-severity vulnerabilities that were promptly fixed, while lower-risk issues were acknowledged for future refinement, indicating a reasonably secure implementation with some design trade-offs. | |
Cantina Managed15-12-2025 - 19-12-2025 |
| The review found no critical or high-severity vulnerabilities, with all identified low-risk issues addressed or acknowledged, indicating a generally secure implementation with minor operational risks. |
Certora04-12-2025 - 15-12-2025 |
| The audit uncovered one critical high-severity vulnerability that was fixed, alongside multiple medium- and low-severity issues largely acknowledged but not remediated, indicating residual trust and operational risks within the relayer-controlled liquidity management system. |
Cantina Managed09-09-2024 |
| The audit found only informational issues, all of which were addressed or acknowledged, indicating a strong security posture for the reviewed XChain Helpers and Spark-Gov-Relay code. |
ChainSecurity13-07-2024 |
| The audit concluded that the codebase provides a good level of security, with no critical vulnerabilities identified in the reviewed cross-chain messaging helpers. |
Cantina26-08-2025 - 01-09-2025 |
| The review found one medium and three low-risk issues, all of which were addressed, indicating a secure implementation of the xchain-helpers library after remediation. |
ChainSecurity13-07-2024 - 08-10-2025 |
| The audit found only a minor interface compliance issue that was resolved, indicating a well-secured codebase for cross-chain messaging helpers with appropriate trust assumptions documented. |
ChainSecurity02-04-2024 - 15-01-2025 |
| The audit found no critical, high, medium, or low severity vulnerabilities; three informational issues were resolved. The codebase provides a high level of security according to ChainSecurity. |
Cantina Managed20-09-2024 |
| The audit concluded with no identified vulnerabilities, indicating a clean security posture for the reviewed oracle code at the time of assessment. |
Cantina09-09-2024 |
| The review uncovered one medium‑risk timing issue around DSR updates that could lead to conversion‑rate jumps, but the team expects keeper‑based updates to limit the exposure; all other findings are low‑risk or informational and have been addressed in the reviewed commit. |
ChainSecurity03-07-2024 - 31-07-2024 |
| ChainSecurity's audit found a high level of security in the SparkDAO Governance Relay, with no critical or high severity issues reported, though the guardian's cancellation power could allow governance DoS on L2. |
Cantina Managed19-08-2024 |
| The audit identified only informational issues, all of which were either fixed or acknowledged by the development team, indicating a robust security posture for the reviewed code. |
Cantina Managed21-08-2024 - 22-08-2024 |
| The review uncovered no critical or high‑severity vulnerabilities, and the identified medium‑risk issue is acknowledged as an edge case that the team expects to manage via contract‑level logic. Overall, the audit indicates a relatively secure implementation with typical risks for a PSM module. |
ChainSecurity10-09-2024 - 21-10-2024 |
| The audit identified one high-severity pocket accounting issue that was fixed, resulting in a codebase with high security assurance and no open critical, medium, or low vulnerabilities. |
Cantina Managed16-10-2024 - 18-10-2024 |
| The review found only minor informational issues, with no critical or high severity vulnerabilities, indicating the Spark PSM changes are relatively secure after the fixes. |
Cantina Managed26-08-2025 - 01-09-2025 |
| The review found only low-risk and informational issues, all of which were addressed or acknowledged, suggesting the Spark Vaults v2 codebase is relatively secure with no critical vulnerabilities. |
ChainSecurity09-09-2025 |
| ChainSecurity concluded the codebase provides a high level of security, with no open critical, high, or medium findings and only one low-severity issue resolved during the engagement. |
Cantina Managed26-08-2025 - 01-09-2025 |
| The review found only low-risk and informational issues, all of which were addressed or acknowledged, indicating a relatively secure codebase with no critical flaws remaining. |
ChainSecurity22-08-2025 - 01-10-2025 |
| ChainSecurity found no critical, high, or medium severity vulnerabilities, with one low-severity issue resolved during the engagement, concluding the codebase provides a high level of security. |
Cantina Managed02-03-2026 - 10-03-2026 |
| The audit identified one low-risk and two informational issues, all of which were acknowledged and addressed, leaving no critical or high-severity vulnerabilities in the reviewed code. |
ChainSecurity26-02-202603-03-2026 |
| The audit found only informational issues, all acknowledged by the team, indicating a high level of security for the Spark Savings Intents contracts. |
Cantina16-09-2024 - 17-09-2024 |
| The audit found no security vulnerabilities in the sUSDS token implementation, indicating a clean security posture for the reviewed code at the time of assessment. |
ChainSecurity30-09-2024 |
| ChainSecurity's audit found no open security issues, indicating a robust implementation of the Savings USDS system with all identified findings resolved or acknowledged as informational. |
ChainSecurity12-12-2022 - 12-01-2023 |
| ChainSecurity's audit found no security vulnerabilities, only minor gas optimizations, indicating a robust implementation of the Savings Dai (sDAI) wrapper with high security assurance. |
ChainSecurity12-08-2025 |
| ChainSecurity's audit concludes the stUSDS codebase provides high security, with no open findings of critical, high, medium, or low severity reported in the accessible sections, though design notes caution about slashing, withdrawal constraints, and integration considerations. |
Cantina Managed28-07-2025 - 08-08-2025 |
| The review found only a minor informational discrepancy in ERC-4626 preview function behavior, with no critical or high-severity vulnerabilities identified, indicating a robust security posture for the stUSDS implementation. |
Legal
Legal form
Company (Inc.)
Registration jurisdiction
Panama (registered office: PH The Century Tower, Via Ricardo J. Alfaro, Office 317, Panama City)
Status and notes
Operating entity disclosed as Spark.fi Inc., incorporated in Panama. Privacy Policy and Terms of Service identify this company as site operator. For SPK token, MiCA disclosures list Spark Foundation (Cayman Islands) for admission to trading and SPK Company Ltd. (British Virgin Islands) for token offer.