Morpho
@morpho-org
LiveMorpho Blue is an immutable overcollateralized lending protocol with permissionless market creation. It implements independent lending markets, which are simple lending pools with only one collateral asset and one borrowable asset, priced through an oracle. The interest rate is given by an immutable interest rate model (IRM). Each pool is characterized by a predefined Liquidation Loan-to-Value (LLTV). Markets can be created by anyone with any ERC20 assets and oracles, with an LLTV and IRM chosen in a set predefined by governance.
MetaMorpho is a protocol for permissionless lending vaults built on top of the Morpho Blue protocol. Additionally, the Morpho Blue periphery contracts are smart contracts part of the Morpho Blue ecosystem such as MetaMorpho, a protocol for permissionless lending vaults on top of the Morpho Blue protocol.
Morpho Optimizer is a Peer-to-Peer layer on top of lending pools like Compound or Aave. Rates are seamlessly improved for both suppliers and borrowers whilst preserving the same liquidity and liquidation guarantees. In short, Compound Optimizer is an upgraded version of Compound, Aave Optmizers are upgraded version of Aave.
For more information about Morpho, please visit https://morpho.org/ Morpho provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Severity and Reward levels below.
Scope
WepApps in scope:
- https://app.morpho.org/
- https://aavev2.morpho.org/
- https://aavev3.morpho.org/
- https://compound.morpho.org/
Smart Contracts in Scope
Morpho Blue
Morpho Blue
MetaMorpho
| Name (address link) | Repo |
|---|---|
| MetaMorpho Factory | github.com/morpho-org/metamorpho |
| Public Allocator | github.com/morpho-org/public-allocator |
| Metamorpho v1.1 | github.com/morpho-org/metamorpho-v1.1 |
Rewards
Bundlers
Bundler3
Morpho Optimizers
All the above contracts and their versions on the following chains are also included in the scope:
- Ethereum Mainnet
- Base
- Arbitrum
- Fraxtal
- Ink
- OP Mainnet
- PolygonPOS
- Scroll
- WorldChain
- Unichain
- Sonic
- Hemi
- Mode
- Corn
Please find the relevant addresses listed here: https://docs.morpho.org/addresses/
Severity Definitions
Smart Contracts severity levels
| Severity level | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|
| Likelihood:high | Critical | High | - |
| Likelihood:medium | High | - | - |
| Likelihood:low | - | - | - |
Rewards
Rewards for Smart Contract Bugs
| Severity | Reward Amount |
|---|---|
| Critical | $2,500,000 |
| High | $50,000 |
Reward Levels
-
Critical:
- Morpho Blue contracts:
- Up to
$2,500,000, minimum payout$250,000 - Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
- Up to
- MetaMorpho and other Morpho Blue periphery contracts:
- Up to
$1,500,000, minimum payout$150,000 - Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
- Up to
- Morpho’s Optimizer contracts:
- Upto
$555,000, minimum payout$55,000 - Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
- Upto
- Morpho Blue contracts:
-
High:
-
Up to
$50,000, minimum payout$10,000 -
In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.
-
Rewards for Website and Application Bugs
| Severity | Reward Amount |
|---|---|
| Critical | $50,000 |
| High | $5,000 |
- Critical:
- Morpho Blue (app.morpho.org)
- Up to
$50,000, Minimum payout$10,000- Max payout of
$50,000applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds - All other impacts would be capped at
$10,000for critical severity
- Max payout of
- Up to
- All other apps
- Up to
$10,000, Minimum payout$5,000- Max payout of
$10,000applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds - All other impacts would be capped at
$5,000for critical severity
- Max payout of
- Up to
- Morpho Blue (app.morpho.org)
Out of Scope (all repositories)
Known Issues
Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope.
- https://github.com/morpho-org/morpho-blue
- https://github.com/morpho-org/morpho-blue-irm
- https://github.com/morpho-org/morpho-blue-oracles
- https://github.com/morpho-org/metamorpho
- https://github.com/morpho-org/universal-rewards-distributor
- https://github.com/morpho-org/public-allocator
- https://github.com/morpho-org/morpho-blue-bundlers
- https://github.com/morpho-org/bundler3
- https://github.com/morpho-org/metamorpho-v1.1
- https://github.com/morpho-org/pre-liquidation
Previous Audits:
Morpho’s completed audit reports can be found at:
- https://docs.morpho.org/security-reviews/. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol. For example, the ability to deploy permissionless pools.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
- Someone can repay on behalf of Morpho.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
- Some contracts are not set yet (eg: IncentivesVault).
- Manipulation of the matching engine. Here are some examples:
- Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
- Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.
All other issues acknowledged in the audits in this repo:
Eligibility:
To participate in this program, security researchers must comply with the rules of engagement and must not:
- Be listed on OFAC's SDN list
- Have been an official contributor, either past or present
- Be employees or individuals closely associated with the project
- Be security auditors who directly or indirectly participated in the audit review
Morpho will require KYC information for processing payments on successful bug submissions. The following details must be provided:
- Full name
- Date of birth
- A copy of your passport or other government-issued ID
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.
Total reward
$2,500,000
Findings submitted
42
Start date
Mar 27, 2024
Please sign in as a researcher to join the bounty.
Log in