This article serves as a case study as to how Morpho partnered with Cantina - a transparent, efficient, and industry-leading security marketplace for protocols incubated by Spearbit to secure their lending protocol at multiple stages throughout their development lifecycle.

Key Stakeholders

Below are the key stakeholders involved in the engagement.

Morpho

Morpho is a decentralized lending protocol with different entities and individuals contributing to its development and adoption, with Morpho Blue being the most recent protocol version. The protocol is implemented as an immutable smart contract, engineered to serve as a trustless base layer for lenders, borrowers, and applications. This aims to offer greater efficiency and flexibility than existing lending platforms, with its primitive design making it an ideal building block for users and dApps.

Spearbit

Spearbit is a distributed industry-leading blockchain security services firm pairing protocols with top security researchers having deep subject matter expertise in Web3 security to identify vulnerabilities in an ever-evolving landscape. Spearbit serves as a node in the ever-expanding Cantina network.

Cantina

Cantina is an efficient security marketplace incubated by Spearbit that provides protocols with access to leading security service providers, high-signal crowdsourced security reviews called competitions, and dynamic price transparency across Web3 security’s top talent pool.

Context and Value Alignment

Over the span of two years, Morpho has consistently called on Spearbit and Cantina to augment their security efforts. Morpho shares Spearbit and Cantina’s ethos about the need for a multi-faceted approach to security, and regards it as a non-negotiable in their mission of reaching $1B TVL. The team’s dedication to maintaining top-tier security standards is evident in their utilization of various internal and external measures, such as formal verification, mutation tests, unit testing, peer reviews, security reviews, competitions, and pre/post-deployment bounties. With the desire to implement best-in-class security measures throughout their development lifecycle, Morpho is the ideal client for the tailored security solutions provided by Spearbit and Cantina.

Since March 2022, the collaboration between Spearbit, Cantina, and Morpho has culminated in eight engagements, demonstrating their preference for our expertise and services.

The Approach

Below we have highlighted the approach taken by Morpho in conjunction with Spearbit and Cantina to meet their desired security goals.

The strongest security strategy is that which diversifies defenses against potential vulnerabilities, at multiple stages throughout the development lifecycle. In the Spearbit review stage, aspects such as smart contracts, architecture and developmental frameworks are scrutinized by expert security researchers, ensuring foundational integrity. Competitions and bug bounties hosted by Cantina then incentivise external security researchers to bring their own unique perspectives to specific areas of the code, tapping into a broader pool of security expertise. Together, these measures create a comprehensive security strategy, increasing the overall resilience of Morpho’s smart contracts.

The Assessment

There were multiple security reviews conducted by Spearbit for Morpho, spanning from March, 2022 to June, 2023. These were conducted by the following security researchers:

• Cmichel
• Stermi
• JayJonah8
• Datapunk
• Reentrant

Over that period of time, the researchers identified a total of 152 issues. A breakdown of their risk classification is below:

• Critical risk: 8
• High risk: 13
• Medium risk: 35
• Low risk: 22
• Gas optimizations: 12
• Informational: 62

As a means of maximizing the contextual knowledge and understanding of Morpho’s codebase, the same researchers were maintained over the entirety of the engagements. This allowed the security researchers to become intimately familiar with the code, empowering them to become increasingly creative in their attacker mentalities. A demonstration of this was Stermi going above and beyond to find vulnerabilities in external code that Morpho was dependent on.

Through Cantina, Morpho hosted two competitions: one for Morpho Blue, and one for MetaMorpho, each with a $100,000 USDC prize pot. Across the two competitions, Cantina researchers found:

• High risk: 1
• Medium risk: 21
• Low risk: 264
• Gas optimizations: 46
• Informational: 319

Spearbit and Cantina’s experience with Morpho

Morpho was praised by the security researchers involved for their dedication to security consciousness and exemplary code quality. Over the course of the reviews, the team highlighted Morpho’s meticulous approach to even the most minor of issues, showcasing a genuine willingness to delve deep into discussions, ensuring every aspect of security is addressed with utmost seriousness.

In regards to the codebase, the researchers noted that it was evident Morpho prioritizes simplicity within its core product. This approach not only enhances the maintainability of the code but also fosters a robust foundation for future development. By relegating intricate UI/UX elements and complexities to peripheral contracts, Morpho ensures that the core remains streamlined, reflecting a strategic architectural decision aimed at long-term sustainability and security.

An additional note was made by the team of researchers that the internal review process at Morpho stood out for its effectiveness and thoroughness. Their commitment to rigorous internal assessments is yet another demonstration of their overarching dedication to security.

Morpho’s experience with Spearbit and Cantina

At Morpho, we have a very streamlined approach to development: The simpler, the better. Include only the essential and externalize the rest. Every line of code and every deployment we make needs to have a good justification behind it. On top of that, we have a rule that every line of code deployed must have been audited and externally reviewed at least once by a tier 1 security company. This is how we maintain a truly scalable and secure product, which has been our goal since the inception of Morpho.

Our tier 1 security company of choice has been Spearbit/Cantina, which have both been critical in ensuring the security of all Morpho protocols. Every version has been reviewed at least once by either of the two entities, and each time they continue to impress us in regards to their skills and knowledge.

One highlight of working with the teams at Spearbit and Cantina has been the collaborative nature. Security researchers and engineers from the Morpho team can work together on the platform to discuss issues, comment, and learn from one another. It’s a truly interactive experience which doesn’t exist in other security companies, and leads to a more complete understanding of the codebase for the researchers. This means that they can apply their expertise in finding obtuse vulnerabilities that may have otherwise been overlooked.

Conclusion

The unwavering prioritization of security from Morpho’s team has had a hugely beneficial impact on their project’s trajectory, as well as the overarching security researcher experience. When presented with streamlined architecture, an open and responsive team, and robust documentation, security researchers are empowered to apply their expertise to every aspect of a codebase, allowing for a truly comprehensive evaluation. With the repeated engagements, a symbiotic relationship formed, increasing in strength with each interaction.

In the review stage, this repetition enabled researchers to explore increasingly creative ways to hypothetically exploit the protocol, ensuring that even the most obtuse attack vectors were considered. Post-reviews, this meant that funds and resources allocated to competitions and bounties were utilized to maximum effect. With such comprehensive evaluations taking place previously, security researchers in these two stages need to bring fresh, diverse perspectives to the table to be rewarded.

Overall, this collaborative approach has enabled and incentivized Spearbit and Cantina researchers to conduct the deepest possible evaluation of Morpho's protocol, fostering innovation and excellence in security.

Secure your protocol today

Spearbit and Cantina are your go-tos for comprehensive end-to-end security. Looking to secure your protocol? Let’s talk. We can have a full quote turned around for you within 24 hours, catered exactly to your project’s needs. Request a quote here.