Sign in

Bug Bounties
Made Simple.

Cantina Bounties enables protocols to protect code in production by leveraging the best network of security researchers and the Cantina Code platform.

Enroll in Cantina Bounties
Hero Image

See documentation →

How it works

Best Talent

Access the best talent Web3 has to offer including direct access to thousands of researchers from industry-leading firms such as Spearbit.

Efficient Process

Cantina Code was built around bettering the client experience. Simply put — less spam, higher signal findings, and less overhead for you and your team.

Highest Signal

Through quality-gating mechanisms and LLM-based de-duplication, we reduce low-effort and spam submissions from overloading protocols.

Bounty cover

Morpho

Live

What is Morpho

Morpho Blue and MetaMorpho form part of the vision to rebuild decentralized lending in layers, with MetaMorpho enabling any lending experience to be rebuilt on a shared and immutable base layer: Morpho Blue.

Morpho Blue is a trustless lending primitive that offers unparalleled efficiency and flexibility. It enables the creation of isolated lending markets by specifying any loan asset, any collateral asset, a liquidation LTV (LLTV), an oracle, and an interest rate model.

Visit the docs for a complete project overview.

https://morpho.org/

Smart Contracts in Scope

Morpho Blue

Morpho Blue

Name (address link)Repo
Morpho Bluegithub.com/morpho-org/morpho-blue
Adaptive Curve Irmgithub.com/morpho-org/morpho-blue-irm
Morpho Chainlink Oracle V2 Factorygithub.com/morpho-org/morpho-blue-oracles

MetaMorpho

Name (address link)Repo
MetaMorpho Factorygithub.com/morpho-org/metamorpho
Public Allocatorgithub.com/morpho-org/public-allocator

Rewards

Name (address link)Repo
Market Rewards Program Registrygithub.com/morpho-org/morpho-blue-rewards-emissions
Rewards Emission Data Providergithub.com/morpho-org/morpho-blue-rewards-emissions
Universal Rewards Distributor Factorygithub.com/morpho-org/universal-rewards-distributor

Bundlers

Name (address link)Repo
EthereumBundlermorpho-org/morpho-blue-bundlers
AaveV2MigrationBundlermorpho-org/morpho-blue-bundlers
AaveV3MigrationBundlermorpho-org/morpho-blue-bundlers
AaveV3OptimizerMigrationBundlermorpho-org/morpho-blue-bundlers
CompoundV2MigrationBundlermorpho-org/morpho-blue-bundlers
CompoundV3MigrationBundlermorpho-org/morpho-blue-bundlers

Morpho Optimizers

Name (address link)Repo
Morpho Proxy (Compound)github.com/morpho-org/morpho-v1-deprecated
Morpho (Compound)github.com/morpho-org/morpho-v1-deprecated
PositionsManager (Compound)github.com/morpho-org/morpho-v1-deprecated
InterestRatesManager (Compound)github.com/morpho-org/morpho-v1-deprecated
RewardsManager Proxy (Compound)github.com/morpho-org/morpho-v1-deprecated
Morpho Proxy (AaveV2)github.com/morpho-org/morpho-v1-deprecated
RewardsManager (Compound)github.com/morpho-org/morpho-v1-deprecated
Morpho (AaveV2)github.com/morpho-org/morpho-v1-deprecated
EntryPositionsManager (AaveV2)github.com/morpho-org/morpho-v1-deprecated
ExitPositionsManager (AaveV2)github.com/morpho-org/morpho-v1-deprecated
InterestRatesManager (AaveV2)github.com/morpho-org/morpho-v1-deprecated
Morpho Proxy (AaveV3 ETH eMode)github.com/morpho-org/morpho-aavev3-optimizer
Morpho (AaveV3 ETH eMode)github.com/morpho-org/morpho-aavev3-optimizer
PositionsManager (AaveV3 ETH eMode)github.com/morpho-org/morpho-aavev3-optimizer
ma3WETH Vault Proxygithub.com/morpho-org/morpho-aavev3-optimizer
ma3WETH Vaultgithub.com/morpho-org/morpho-aavev3-optimizer
Morpho Admin (DAO)
Delay Modifier (DAO)
Role Modifier (DAO)
Morpho Token (DAO)
Operator (DAO)

Severity Definitions

Smart Contracts

Severity levelImpact: HighImpact: Medium
Likelihood:high$555,555.00$100,000.00
Likelihood:medium$100,000.00-

Out of Scope (all repositories)

Known Issues

Known issues from previous security reviews are considered out of scope.

Note that the metamorpho repository also gathers the findings on all periphery contracts from the Cantina competition.

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol. For example, the ability to deploy permissionless pools.
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors.
  • COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
  • Someone can repay on behalf of Morpho.
  • Relatively high gas consumption.
  • Extreme market turmoil vulnerability.
  • Some contracts are not set yet (eg: IncentivesVault).
  • Manipulation of the matching engine. Here are some examples:
    • Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
    • Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.

All other issues acknowledged in the audits in this repo: https://github.com/morpho-dao/morpho-v1/ and https://github.com/morpho-dao/morpho-aave-v3

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Public disclosure of bugs without the consent of the protocol team.
  • Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.

$555,555 USDC

Starts on 27 Mar 2024

View Bounty

The first marketplace for web3 security. We've aggregated the security talent and solutions so you don't have to.

Services

CompetitionsReviewsBountiesGuilds

© 2024 Cantina. All rights reserved.