Morpho
Total reward
$2,500,000
Findings submitted
78
Start date
27 Mar 2024
Please sign in as a researcher to join the bounty.
Log inMorpho is an open lending network, powered by various protocols (listed below), that connects lenders and borrowers to the best opportunities globally. Businesses integrate Morpho's neutral infrastructure to power lending or borrowing products at scale, including embedded crypto-backed loans and earn products.
Morpho V2 follows a similar architecture to Morpho V1, featuring two protocols: Morpho Markets V2, a protocol for fixed-rate, fixed-term loans (not yet live), and Morpho Vaults V2, a more general lending vault architecture that can allocate to any protocol via adapters.
Morpho V1: A dual-layer permissionless architecture consisting of Morpho Markets V1 (otherwise known as Morpho Blue), a protocol for creating simple lending markets, and Morpho Vaults V1 (otherwise known as MetaMorpho), a protocol for building lending vaults exclusively on top of Markets V1.
[Deprecated] Morpho V0: A peer-to-peer optimization layer built on top of existing lending protocols, designed to improve the rate users receive while maintaining the same risk parameters.
For more information about Morpho, please visit https://morpho.org/ Morpho provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Severity and Reward levels below.
Scope
WepApps in scope:
- https://app.morpho.org/
- https://aavev2.morpho.org/
- https://aavev3.morpho.org/
- https://compound.morpho.org/
Smart Contracts in Scope
Morpho V2
Vault V2
Morpho V1 (Morpho Blue)
Morpho V1
Vault V1 (MetaMorpho)
Name (address link) | Repo |
---|---|
MetaMorpho Factory | github.com/morpho-org/metamorpho |
Public Allocator | github.com/morpho-org/public-allocator |
Metamorpho v1.1 | github.com/morpho-org/metamorpho-v1.1 |
Rewards
Bundlers
Bundler3
Morpho V0 (Optimizers)
All the above contracts and their versions on the following chains are also included in the scope:
- Ethereum Mainnet
- Abstract
- Arbitrum
- Base
- Bitlayer
- BNB Chain
- Botanix
- Camp
- Celo
- Corn
- Etherlink
- Flame
- Fraxtal
- Gnosis
- Hemi
- HyperEVM
- Ink
- Katana
- Lisk
- Mode
- OP Mainnet
- Plume
- PolygonPOS
- Scroll
- Sei
- Soneium
- Sonic
- TAC
- Unichain
- WorldChain
- Zircuit
Please find the relevant addresses listed here: https://docs.morpho.org/addresses/
Severity Definitions
Smart Contracts severity levels
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood:high | Critical | High | - |
Likelihood:medium | High | - | - |
Likelihood:low | - | - | - |
Rewards
Rewards for Smart Contract Bugs
Severity | Reward Amount |
---|---|
Critical | $2,500,000 |
High | $50,000 |
Reward Levels
-
Critical:
- Morpho V1 (Blue) contracts:
- Up to
$2,500,000
, minimum payout$250,000
- Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
- Up to
- Vault V2, Vault V1 and other Morpho V1 periphery contracts:
- Up to
$1,500,000
, minimum payout$150,000
- Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
- Up to
- Morpho’s V0 (Optimizer) contracts:
- Upto
$555,000
, minimum payout$55,000
- Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
- Upto
- Morpho V1 (Blue) contracts:
-
High:
-
Up to
$50,000
, minimum payout$10,000
-
In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.
-
Rewards for Website and Application Bugs
Severity | Reward Amount |
---|---|
Critical | $50,000 |
High | $5,000 |
- Critical:
- Morpho Blue (app.morpho.org)
- Up to
$50,000
, Minimum payout$10,000
- Max payout of
$50,000
applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds - All other impacts would be capped at
$10,000
for critical severity
- Max payout of
- Up to
- All other apps
- Up to
$10,000
, Minimum payout$5,000
- Max payout of
$10,000
applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds - All other impacts would be capped at
$5,000
for critical severity
- Max payout of
- Up to
- Morpho Blue (app.morpho.org)
Out of Scope (all repositories)
Known Issues
Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope.
- https://github.com/morpho-org/morpho-blue
- https://github.com/morpho-org/morpho-blue-irm
- https://github.com/morpho-org/morpho-blue-oracles
- https://github.com/morpho-org/metamorpho
- https://github.com/morpho-org/universal-rewards-distributor
- https://github.com/morpho-org/public-allocator
- https://github.com/morpho-org/morpho-blue-bundlers
- https://github.com/morpho-org/bundler3
- https://github.com/morpho-org/metamorpho-v1.1
- https://github.com/morpho-org/pre-liquidation
- https://github.com/morpho-org/vault-v2
- https://github.com/morpho-org/vault-v2-adapter-registries
Previous Audits:
Morpho’s completed audit reports can be found at:
- https://docs.morpho.org/security-reviews/. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol. For example, the ability to deploy permissionless pools.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
- Someone can repay on behalf of Morpho.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
- Some contracts are not set yet (eg: IncentivesVault).
- Manipulation of the matching engine. Here are some examples:
- Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
- Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.
All other issues acknowledged in the audits in this repo:
Eligibility:
To participate in this program, security researchers must comply with the rules of engagement and must not:
- Be listed on OFAC's SDN list
- Have been an official contributor, either past or present
- Be employees or individuals closely associated with the project
- Be security auditors who directly or indirectly participated in the audit review
Morpho will require KYC information for processing payments on successful bug submissions. The following details must be provided:
- Full name
- Date of birth
- A copy of your passport or other government-issued ID
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.