Morpho

@morpho

Live

Maximum reward

$2,500,000

Severity

Max. Reward

Critical

$2,500,000

High

$50,000

Medium

$10,000

Low

$3,000

No deposit required

Findings submitted

172

Start date

27 Mar 2024

Please sign in as a researcher to join the bounty.

Instructions Scope

In scope

WebApps Morpho V2 Morpho V1 (Morpho Blue)

Severity

Min and Max Reward

Critical

$250,000 to $2,500,000

High

$10,000 to $50,000

Medium

$3,000 to $10,000

Low

$1,000 to $3,000

Morpho V1 (Morpho Blue) Smat Contracts.

Morpho V1

Morpho V1 Smart Contracts.

Name	Description	Asset
Morpho Blue	Repository: https://github.com/morpho-org/morpho-blue/tree/55d2d99304fb3fb930c688462ae2ccabb1d533ad	0xBBBB…FFCb
Adaptive Curve Irm	Repository: https://github.com/morpho-org/morpho-blue-irm/tree/a7d9cce3451b4a106bfd40933ac57a785b5228f3	0x870a…00BC
Morpho Chainlink Oracle V2 Factory	Repository: https://github.com/morpho-org/morpho-blue-oracles/tree/7d638ad5f6d7dd1c2355b42aaca406f0531161f6/src/morpho-chainlink	0x3A7b…d766
Pre-Liquidation	Repository: https://github.com/morpho-org/pre-liquidation/tree/main	https://github.com/morpho-org/pre-liquidation/tree/main

Vault V1 (MetaMorpho)

Vault V1 (MetaMorpho) Smart Contracts.

Name	Description	Asset
MetaMorpho Factory	Repository: https://github.com/morpho-org/metamorpho/tree/c5e758da97d210ede921bf228d37d31e744bd5bf	0xa9c3…1101
Public Allocator	Repository: https://github.com/morpho-org/public-allocator/tree/1994f575aed4097196108f83ee19ca9fb59e6cba/src	0xfd32…c75D
Metamorpho v1.1	Repository: https://github.com/morpho-org/metamorpho-v1.1	https://github.com/morpho-org/metamorpho-v1.1

Rewards

Rewards Smart Contracts.

Name	Description	Asset
Market Rewards Program Registry	Repository: https://github.com/morpho-org/morpho-blue-rewards-emissions/blob/c3517486aaca8090f016b8f18f52b1cc63fa16f0/src/MarketRewardsProgramRegistry.sol	0x5148…CE7D
Rewards Emission Data Provider	Repository: https://github.com/morpho-org/morpho-blue-rewards-emissions/tree/4a46c679ce2b8ed1f263a82e2e78fcf3faf3ca2c	0xf27f…de8e
Universal Rewards Distributor Factory	Repository: https://github.com/morpho-org/universal-rewards-distributor/blob/efa8c4a842222cd214b8c25d8f2173bc41dedc1f/src/UrdFactory.sol	0x9baA…7c8D

Bundlers

Bundlers Smart Contracts.

Name	Description	Asset
EthereumBundler	Repository: https://github.com/morpho-org/morpho-blue-bundlers/tree/5466a6bedc5c9afc37584c0515ddaf51fc095370	0xa799…5107
AaveV2MigrationBundler	Repository: https://github.com/morpho-org/morpho-blue-bundlers/tree/5466a6bedc5c9afc37584c0515ddaf51fc095370	0xb3dc…8e76
AaveV3MigrationBundler	Repository: https://github.com/morpho-org/morpho-blue-bundlers/tree/5466a6bedc5c9afc37584c0515ddaf51fc095370	0x98cc…9bdc
AaveV3OptimizerMigrationBundler	Repository: https://etherscan.io/address/0x98ccb155e86bb478d514a827d16f58c6912f9bdc	0x98cc…9bdc
CompoundV2MigrationBundler	Repository: https://github.com/morpho-org/morpho-blue-bundlers/tree/5466a6bedc5c9afc37584c0515ddaf51fc095370	0x26bf…8647
CompoundV3MigrationBundler	Repository: https://github.com/morpho-org/morpho-blue-bundlers/tree/5466a6bedc5c9afc37584c0515ddaf51fc095370	0x3a0e…9558

Bundler3

Bundler3 Smart Contracts.

Name	Description	Asset
Bundler3	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0x6566…0245
ParaswapAdapter	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0x03b5…C38f
AaveV3MigrationAdapter “Core”	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0xb09e…D475
AaveV3MigrationAdapter “Prime”	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0x2CC8…B806
AaveV3MigrationAdapter “EtherFi”	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0x4011…9ca3
CompoundV3MigrationAdapter	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0xdBa5…6773
AaveV3OptimizerMigrationAdapter	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0x9e2e…d972
AaveV2MigrationAdapter	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0x4028…961B
CompoundV2MigrationAdapter	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0x9B89…1101
EthereumGeneralAdapter1(specific to Ethereum)	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0x4A6c…0aE0
GeneralAdapter1(for all other networks)	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0xb98c…746A
ERC20WrapperAdapter(on Base and Ethereum only for now))	Repository: https://github.com/morpho-org/bundler3/tree/82e44ddebae998dc8b6e5cbd29ff69786135b1d3	0xf83D…F962

Out of scope

Out of Scope Smart Contract

Known issues, known limitations, documented risks and behaviors are out of scope.
Issues resulting solely from deployer or curator parameter choices or configuration decisions. Researchers should notify the relevant deployer or curator via their relevant security contact or Bug Bounty program.
Design choices of the protocols.
Attacks with crazy high gas consumption.
Extreme market turmoil vulnerability.
Bugs in third party contracts or applications that use Morpho contracts.

Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope. This includes but is not limited to:

Scenarios covered by documented risks on docs.morpho.org (e.g. Faulty Oracles)
natspec/comments
Readme
PR
Issues
Audits and competitions reports such as audits listed here
Bug Bounty reports