How it worksCompetitionsReviewsGuildsBountiesPortfolioBlog
Sign in
profile image

Morpho / Morpho

Morpho Blue and MetaMorpho form part of the vision to rebuild decentralized lending in layers, with MetaMorpho enabling any lending experience to be rebuilt on a shared and immutable base layer: Morpho Blue.

Morpho Blue is a trustless lending primitive that offers unparalleled efficiency and flexibility. It enables the creation of isolated lending markets by specifying any loan asset, any collateral asset, a liquidation LTV (LLTV), an oracle, and an interest rate model.

Visit the docs for a complete project overview.

Smart Contracts in Scope

Morpho Blue

Morpho Blue

Name (address link)Repo
Adaptive Curve
Morpho Chainlink Oracle V2


Name (address link)Repo


Name (address link)Repo
Market Rewards Program
Rewards Emission Data
Universal Rewards Distributor


Name (address link)Repo

Morpho Optimizers

Name (address link)Repo
Morpho Proxy (Compound)
Morpho (Compound)
PositionsManager (Compound)
InterestRatesManager (Compound)
RewardsManager Proxy (Compound)
Morpho Proxy (AaveV2)
RewardsManager (Compound)
Morpho (AaveV2)
EntryPositionsManager (AaveV2)
ExitPositionsManager (AaveV2)
InterestRatesManager (AaveV2)
Morpho Proxy (AaveV3 ETH eMode)
Morpho (AaveV3 ETH eMode)
PositionsManager (AaveV3 ETH eMode)
ma3WETH Vault
Morpho Admin (DAO)
Delay Modifier (DAO)
Role Modifier (DAO)
Morpho Token (DAO)
Operator (DAO)

Severity Definitions

Smart Contracts

Severity levelImpact: HighImpact: Medium

Out of Scope (all repositories)

Known Issues

Known issues from previous security reviews are considered out of scope.

Note that the metamorpho repository also gathers the findings on all periphery contracts from the Cantina competition.

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol. For example, the ability to deploy permissionless pools.
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors.
  • COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
  • Someone can repay on behalf of Morpho.
  • Relatively high gas consumption.
  • Extreme market turmoil vulnerability.
  • Some contracts are not set yet (eg: IncentivesVault).
  • Manipulation of the matching engine. Here are some examples:
    • Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
    • Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.

All other issues acknowledged in the audits in this repo: and

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Public disclosure of bugs without the consent of the protocol team.
  • Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.




Total reward:

$555,555 USDC

Start date:

27 Mar 2024 6:37pm (local time)

The first marketplace for web3 security. We've aggregated the security talent and solutions so you don't have to.



© 2024 Cantina. All rights reserved.