Morpho / Morpho
Morpho Blue and MetaMorpho form part of the vision to rebuild decentralized lending in layers, with MetaMorpho enabling any lending experience to be rebuilt on a shared and immutable base layer: Morpho Blue.
Morpho Blue is a trustless lending primitive that offers unparalleled efficiency and flexibility. It enables the creation of isolated lending markets by specifying any loan asset, any collateral asset, a liquidation LTV (LLTV), an oracle, and an interest rate model.
Visit the docs for a complete project overview.
Smart Contracts in Scope
Morpho Blue
Morpho Blue
Name (address link) | Repo |
---|---|
Morpho Blue | github.com/morpho-org/morpho-blue |
Adaptive Curve Irm | github.com/morpho-org/morpho-blue-irm |
Morpho Chainlink Oracle V2 Factory | github.com/morpho-org/morpho-blue-oracles |
MetaMorpho
Name (address link) | Repo |
---|---|
MetaMorpho Factory | github.com/morpho-org/metamorpho |
Public Allocator | github.com/morpho-org/public-allocator |
Rewards
Bundlers
Morpho Optimizers
Severity Definitions
Smart Contracts
Severity level | Impact: High | Impact: Medium |
---|---|---|
Likelihood:high | $555,555.00 | $100,000.00 |
Likelihood:medium | $100,000.00 | - |
Out of Scope (all repositories)
Known Issues
Known issues from previous security reviews are considered out of scope.
- morpho-org/morpho-blue/tree/main/audits
- morpho-org/metamorpho/tree/main/audits
- morpho-org/morpho-blue-bundlers/tree/main/audits
- morpho-optimizers/security/audits
Note that the metamorpho repository also gathers the findings on all periphery contracts from the Cantina competition.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol. For example, the ability to deploy permissionless pools.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
- Someone can repay on behalf of Morpho.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
- Some contracts are not set yet (eg: IncentivesVault).
- Manipulation of the matching engine. Here are some examples:
- Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
- Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.
All other issues acknowledged in the audits in this repo: https://github.com/morpho-dao/morpho-v1/ and https://github.com/morpho-dao/morpho-aave-v3
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.
Summary
Status
LiveTotal reward:
$555,555 USDC
Start date:
27 Mar 2024 6:37pm (local time)