← back to lessons

Lesson: "permissioned protocol" curating a permissionless venue is STILL curator-risk

Banked: 2026-06-11 (SEAMS lane, 24h-rule follow-up resolving the prior PT-linear-discount lesson's STAGE-candidate hypothesis) Status: scoping-boundary calibration. WALK-CLEAN. Closes the open "probe Spark's deployment next" thread.

TL;DR

The prior lesson (pt-linear-discount-oracle-seam) said: "linear-discount + missing depeg feed on Morpho = advisory; the SAME config inside a permissioned, governance-listed protocol (SparkLend/Sky) WOULD be a protocol finding - go probe Spark next."

Probed Spark. Resolution: Spark does NOT wire PT + the linear oracle into its in-scope governance-permissioned lending pool. It keeps ALL PT exposure inside a SEPARATE MetaMorpho vault on permissionless Morpho Blue. A governance entity (SparkDAO) curating a permissionless venue does NOT convert curator-risk into a protocol finding. The scope boundary is the VENUE/ENGINE the param lives in, not the identity of who set it.

The decisive distinction (refines the prior WALK-vs-STAGE rule)

The prior rule asked "who chose the oracle - anonymous creator or governance?" That is necessary but NOT sufficient. The sharper rule:

WALK-vs-STAGE hinges on the ENGINE the parameter lives in, not the chooser's identity: - Param on the protocol's OWN in-scope contract (e.g. a SparkLend Aave-fork reserve listed by POOL_CONFIGURATOR) -> protocol owns it -> in-scope candidate. - Param on a permissionless THIRD-PARTY engine (Morpho Blue market / MetaMorpho vault), even if a governance DAO is the curator -> the third-party engine's permissionless model governs scope -> curator-risk -> WALK for the DAO's own program.

A DAO can wear two hats: (1) protocol-governor of its own contracts (in-scope), (2) curator/allocator on someone else's permissionless rails (out-of-scope, accepted-risk model). Resolve WHICH hat before STAGE.

How to resolve it fast (recipe)

  1. Get the protocol's in-scope asset list from its Immunefi page. Note the contract CATEGORIES (pool, configurator, debt tokens, PSM, ALM). If MetaMorpho/Morpho vaults are NOT listed, PT-in-a-vault is out.
  2. Read the protocol's OWN lending pool reserve list on-chain (getReservesList() for Aave-forks). If it has no PT, mechanism (a) is dead - the conservative governance collateral set is itself the mitigation.
  3. Find where the PT actually lives. For Sky/Spark: the SparkDAO-curated "Spark DAI Vault" MetaMorpho 0x73e65DBD630f90604062f6E02fAb9138e713edD9 (owner = SparkDAO proxy 0x3300f198988e4C9C63F75dF86De36421f06af8c4) on Morpho Blue 0xBBBB...FFCb. Enumerate withdrawQueue -> idToMarketParams -> flag PT collateral, read the oracle's BASE_FEED_1/2.
  4. Confirm the engine: MetaMorpho on Morpho Blue = permissionless = curator-risk. Distinct from the protocol's own pool address.

Three independent WALK reasons stacked here (any one suffices)

  1. Wrong engine: PT lives on permissionless Morpho, not the in-scope SparkLend pool.
  2. No live exposure: every Spark PT market is MATURED (oracle pinned at par 1e18) and the vault is wound down (~$766 total, PT allocations <$500). The time-discount over-valuation direction is mathematically gone post-maturity.
  3. Named scope exclusion: Spark's Immunefi excludes "incorrect data supplied by third party oracles" AND "depegging of an external stablecoin where the attacker does not directly cause the depegging" - the exact mechanism.

Negative-result calibration (compounds the prior lesson)

Reusable addresses / heuristics

Generated 2026-07-02 13:15:05 UTC | auto-sync /15min