Morpho

Morpho

@morpho
Live

Maximum reward

$2,500,000

Severity

Max. Reward

Critical

$2,500,000

High

$50,000

Medium

$10,000

Low

$3,000

No deposit required

Findings submitted

164

Start date

27 Mar 2024

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

Morpho is an open lending network, powered by various protocols (listed below), that connects lenders and borrowers to the best opportunities globally. Businesses integrate Morpho's neutral infrastructure to power lending or borrowing products at scale, including embedded crypto-backed loans and earn products.

Morpho V2 follows a similar architecture to Morpho V1, featuring two protocols: Morpho Markets V2, a protocol for fixed-rate, fixed-term loans (not yet live), and Morpho Vaults V2, a more general lending vault architecture that can allocate to any protocol via adapters.

Morpho V1: A dual-layer permissionless architecture consisting of Morpho Markets V1 (otherwise known as Morpho Blue), a protocol for creating simple lending markets, and Morpho Vaults V1 (otherwise known as MetaMorpho), a protocol for building lending vaults exclusively on top of Markets V1.

[Deprecated] Morpho V0: A peer-to-peer optimization layer built on top of existing lending protocols, designed to improve the rate users receive while maintaining the same risk parameters.

For more information about Morpho, please visit https://morpho.org/ Morpho provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Severity and Reward levels below.

Scope

WepApps in scope:

Smart Contracts in Scope

Morpho V2

Vault V2

Name (address link)Repo
VaultV2Factorygithub.com/morpho-org/vault-v2
MorphoMarketV1AdapterV2Factorygithub.com/morpho-org/vault-v2
MorphoVaultV1AdapterFactorygithub.com/morpho-org/vault-v2
Morpho Registrygithub.com/morpho-org/vault-v2-adapter-registries

Morpho V1 (Morpho Blue)

Morpho V1

Name (address link)Repo
Morpho Bluegithub.com/morpho-org/morpho-blue
Adaptive Curve Irmgithub.com/morpho-org/morpho-blue-irm
Morpho Chainlink Oracle V2 Factorygithub.com/morpho-org/morpho-blue-oracles
Pre-Liquidationgithub.com/morpho-org/pre-liquidation/tree/main

Vault V1 (MetaMorpho)

Name (address link)Repo
MetaMorpho Factorygithub.com/morpho-org/metamorpho
Public Allocatorgithub.com/morpho-org/public-allocator
Metamorpho v1.1github.com/morpho-org/metamorpho-v1.1

Rewards

Name (address link)Repo
Market Rewards Program Registrygithub.com/morpho-org/morpho-blue-rewards-emissions
Rewards Emission Data Providergithub.com/morpho-org/morpho-blue-rewards-emissions
Universal Rewards Distributor Factorygithub.com/morpho-org/universal-rewards-distributor

Bundlers

Name (address link)Repo
EthereumBundlermorpho-org/morpho-blue-bundlers
AaveV2MigrationBundlermorpho-org/morpho-blue-bundlers
AaveV3MigrationBundlermorpho-org/morpho-blue-bundlers
AaveV3OptimizerMigrationBundlermorpho-org/morpho-blue-bundlers
CompoundV2MigrationBundlermorpho-org/morpho-blue-bundlers
CompoundV3MigrationBundlermorpho-org/morpho-blue-bundlers
Bundler3
Name (address link)Repo
Bundler3morpho-org/bundler3
ParaswapAdaptermorpho-org/bundler3
AaveV3MigrationAdapter “Core”morpho-org/bundler3
AaveV3MigrationAdapter “Prime”morpho-org/bundler3
AaveV3MigrationAdapter “EtherFi”morpho-org/bundler3
CompoundV3MigrationAdaptermorpho-org/bundler3
AaveV3OptimizerMigrationAdaptermorpho-org/bundler3
AaveV2MigrationAdaptermorpho-org/bundler3
CompoundV2MigrationAdaptermorpho-org/bundler3
EthereumGeneralAdapter1(specific to Ethereum)morpho-org/bundler3
GeneralAdapter1(for all other networks)morpho-org/bundler3
ERC20WrapperAdapter(on Base and Ethereum only for now))morpho-org/bundler3

Please find the relevant addresses listed here: https://docs.morpho.org/addresses/

Rewards

Risk Classification Matrix

SeverityLevelImpact: CriticalImpact: HighImpact: MediumImpact: Low
Likelihood: HighCriticalHighMediumLow
Likelihood: MediumHighHighMediumLow
Likelihood: LowMediumMediumLowInformational

Details on Bounty severity classification: https://docs.cantina.xyz/cantina-docs/cantina-bounties/bounty-severity-classification

Rewards for Smart Contract Bugs

SeverityReward Amount
Critical$2,500,000
High$50,000

Reward Levels

  • Critical:
    • Market V1 contracts (Morpho-blue, Morpho-blue-irm):
      • Up to $2,500,000, minimum payout $250,000
    • Vault V2, Vault V1 and other contracts:
      • Up to $1,500,000, minimum payout $150,000
  • High:
    • Up to $50,000, minimum payout $10,000
  • Medium:
    • Up to $10,000, minimum payout $3,000
  • Low:

    • Up to $3,000, minimum payout $1,000

Rewards for Website and Application Bugs

SeverityReward Amount
Critical$50,000
High$5,000
  • Critical:
    • Morpho (app.morpho.org)
      • Up to $50,000, Minimum payout $10,000
        • Max payout of $50,000 applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds
        • All other impacts would be capped at $10,000 for critical severity
    • All other apps
      • Up to $10,000, Minimum payout $5,000
        • Max payout of $10,000 applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds
        • All other impacts would be capped at $5,000 for critical severity

Eligibility:

To participate in this program, security researchers must comply with the rules of engagement and must not:

  • Be listed on OFAC's SDN list
  • Have been an official contributor, either past or present
  • Be employees or individuals closely associated with the project
  • Be security auditors who directly or indirectly participated in the audit review

Morpho will require KYC information for processing payments on successful bug submissions. The following details must be provided:

  • Full name
  • Date of birth
  • A copy of your passport or other government-issued ID

To be eligible for a reward under this Program, you must:

  • Discover a previously-unreported, non-public vulnerability that is not previously known by the Morpho team and is within the scope of this Program
  • Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
  • Not publicize or exploit a vulnerability in any way, other than through private reporting to us
  • Refrain from any privacy violations, destruction of data, interruption or degradation of any of the assets in scope.
  • Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
  • Comply with all the rules of the Program, including but not limited to, refraining from engaging in any Prohibited Actions.

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Public disclosure of bugs without the consent of the Morpho team.
  • Conflict of Interest: any individual who is or has ever been employed by Morpho may not participate in the Bug Bounty. Additionally, any individual who has been involved in or contributed to the development of the code of the bug in question may not participate in the Bug Bounty.

Disclosure

The vulnerability must not be disclosed publicly or to any other person, entity or email address before Morpho has been notified, has fixed the issue, and has granted permission for public disclosure.