Morpho

Morpho

@morpho
Live

Maximum reward

$2,500,000

Severity

Max. Reward

Critical

$2,500,000

High

$50,000

Medium

$10,000

Low

$3,000

No deposit required

Findings submitted

172

Start date

27 Mar 2024

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

WebAppsMorpho V2Morpho V1 (Morpho Blue)

Severity

Min and Max Reward

Critical

$150,000 to $1,500,000

High

$10,000 to $50,000

Medium

$3,000 to $10,000

Low

$1,000 to $3,000

Morpho V2 Smart Contracts in Scope.

Vault V2

Vault V2 Smart Contracts

Name
Description
Asset
VaultV2Factory

Repository: https://github.com/morpho-org/vault-v2/tree/2f0c4a3885160371369362f624d2a6e9c94c399a/src

0xA1D9…0405

MorphoMarketV1AdapterV2Factory

Repository: https://github.com/morpho-org/vault-v2/tree/21910a002d69ca27b0b622a64c30e7d6e4b49e6c/src

0x32BB…ccc1

MorphoVaultV1AdapterFactory

Repository: https://github.com/morpho-org/vault-v2/tree/2f0c4a3885160371369362f624d2a6e9c94c399a/src

0xD1B8…3394

Morpho Registry

Repository: https://github.com/morpho-org/vault-v2-adapter-registries/tree/d3b239ba9445099fba19109629d9bb9c7c4709f9/src

0x3696…364e

Out of scope

Out of Scope Smart Contract

  • Known issues, known limitations, documented risks and behaviors are out of scope.
  • Issues resulting solely from deployer or curator parameter choices or configuration decisions. Researchers should notify the relevant deployer or curator via their relevant security contact or Bug Bounty program.
  • Design choices of the protocols.
  • Attacks with crazy high gas consumption.
  • Extreme market turmoil vulnerability.
  • Bugs in third party contracts or applications that use Morpho contracts.

Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope. This includes but is not limited to:

  • Scenarios covered by documented risks on docs.morpho.org (e.g. Faulty Oracles)
  • natspec/comments
  • Readme
  • PR
  • Issues
  • Audits and competitions reports such as audits listed here
  • Bug Bounty reports