Skip to content

Security Considerations for Vault Curators

This document outlines important security considerations and best practices for Morpho Vault curators. It covers vault-specific security topics that are most relevant to curators and advanced users.

Faulty Oracles

Supplying liquidity in a market with a faulty oracle (overestimating the collateral’s price) will obviously lead to a loss of funds, because the health computation and the liquidation wouldn’t work properly.

On top of that, Morpho Vaults V1 (versions 1.0 and 1.1) have an additional edge-case: if they list a market whose oracle reports a price significantly above the market price — specifically, when the market price goes below oraclePrice * LLTV — the number of market shares can be increased and, as a result, they can incur some losses despite having no allocation and zero caps on the market.

More precisely, they can lose as much as the amount that can be borrowed against collateral that can be bought below LLTV * oraclePrice * σ where σ represents the adversary's share of the vault’s supply.

Recommendations

To reduce the chances of faulty oracles (Always important, independent of the edge case):

  • Curators should choose oracles to minimize the risk of price divergence.
  • Disable markets that the vault does not actively use (remove from withdraw queue), even if the caps are zero.
If a faulty oracle situation occurs:
  • Immediately pause deposits by emptying the supply queue. This prevents anyone getting new shares and increasing their σ. One can automate this : have an allocator that automatically removes the supply queue when on any market of the vault the market price diverges significantly from the oracle price.
  • Remove the affected market from the queue as quickly as possible:
    • If the vault holds zero shares in the market, remove it instantly.
    • If the market is liquid, withdraw all shares and then remove it instantly.
    • If the market is illiquid, initiate forced removal and execute it once the timelock expires.

Note that Vaults V2 are not affected by this edge-case.

Credit to Madiha for helping the Morpho team identify and provide these security guidelines to vault curators.

Vault as asset

In this section, we outline security considerations and recommendations for listing 4626 vaults as an asset, collateral, or loan asset.

Vault as collateral

Liquid & flashloanable 4626 assets with share price decrease

ERC4626 vaults with the following properties can incur a loss of funds.

  • Most of the shares of the vault can be flash loaned.
  • Most of the vault is liquid.
  • The vault's share price can decrease notably and instantly.

This is not specific to Morpho but a general statement for all ERC4626 vaults. Since assets deposited on Morpho can always be flash loaned, it is important to keep in mind.

The loss is bounded by:

totalLossδ11min(AWA,SLS)totalLoss \le \delta\frac{1}{1-\min(\frac{A_W}{A}, \frac{S_L}{S})}

where:

  • The loss on the vault (that creates the share price decrease):
δ\delta
  • The liquid portion of the vault:
AWA\frac{A_W}{A}
  • The loanable portion of the vault:
SLS\frac{S_L}{S}

Recommendations for Morpho Vaults used as collateral

For Morpho Vaults with bad debt realization (created with the MetaMorpho Factory V1.0), the share price can decrease in the event of a bad debt realization in one of the listed markets. If the vault is highly liquid, the supply queue has a specific order, and most of the shares can be flashloaned, then the liquidator of the market could amplify bad debt realized by the vault. Since using vaults as collateral increases the proportion of the vault that can be flashloaned, it could favor this amplification. Although very unlikely, it is thus not recommended using those vaults as collateral.

For Morpho vaults without bad debt realization (created with the MetaMorpho Factory V1.1), the share price of the vault can't decrease, and the above-described scenario can't happen. That said, the vault users won't have bad debt realized in their vault.

Credit to 100proof on helping the Morpho team providing those security guidelines to vault curators.

Vault as loan asset

Pricing method

One of the main considerations when onboarding an asset is what price it should have. A natural way to price vault shares is by using the exchange rate (supported by the Morpho Oracle V2). We summarise here the risks associated with using this pricing method and recommendations when doing so.

Manipulations & share price changes

General manipulations of an ERC4626 are detailed in an Euler article. Additionally, we should take into account the other possible ways that the share price of a vault can change.

We have in the general case:

  1. donations in general to ERC4626 vaults can cause a sudden price increase. Vaults can have mitigations to this, but most are vulnerable. Morpho Vaults can be affected because of supply on behalf.

  2. rounding errors (including stealth donations) can change the share price. They are not expected to be significant, including for Morpho Vaults when the vault has a large enough total assets.

And the ones specific to each vaults. For example in Morpho vaults:

  1. “economic”, known scenarios could decrease the share price on Morpho Vaults. They should be accepted by the user for what they are, so they are not considered as blocking. It includes bad debt realization for Morpho Vaults V1.0 (note that public reallocation can be an aggravating factor in this scenario) and forced market removal.

The price change by donation causes a price increase, so it naturally is an issue for listing a vault as a loan asset. In particular, it leads to:

  • the possibility of a future attack like the Cream hack, as soon as the position of those shares is priced
  • liquidations having an extra incentive that is extremely difficult to mitigate, resulting in borrowers taking unpredictable risks (or not joining at all).
Because of those risks, it is not recommended to list any ERC4626 vault as a loan asset in a Morpho market at the moment.

Inflation Front-Running Attack Protection

Morpho Vaults V1, like all ERC4626-compliant vaults, have a potential vulnerability to what is known as an "inflation front-running attack," particularly when the vault is newly created and empty. This vulnerability is explicitly mentioned in the Morpho Vault contract:

/// @inheritdoc IERC4626
/// @notice For tokens with 18 decimals, the protection against the inflation front-running attack is low. To
/// protect against this attack, vault deployers should make an initial deposit of a non-trivial amount in the vault
/// or depositors should check that the share price does not exceed a certain limit.

What is an Inflation Front-Running Attack?

This attack works as follows:

  1. An attacker sees a pending transaction where a user intends to deposit into an empty (or nearly empty) vault
  2. The attacker front-runs the transaction with a minimal deposit followed by a large donation directly to the vault
  3. This artificially inflates the share price of the vault
  4. When a user’s deposit execute and is small enough, they receive significantly fewer shares than expected
  5. The attacker, as the majority shareholder, can benefit from this manipulation if more than one user deposit receives fewer shares than expected

This vulnerability is most pronounced for tokens with 18 or more decimals, where the DECIMALS_OFFSET in the Morpho Vault V1 contract is zero.

Best Practices for Morpho Vault Curators

  1. Initial Protection: Always make an initial deposit of at least 1e9 shares immediately after vault and market creation on behalf of the address 0x000000000000000000000000000000000000dEaD. Ensure that all of the markets that the vault allocates to have this deposit as well.
  2. Timelock: Implement a 3-day timelock to give enough time to review any new markets before adding them to the vault's allocation.
  3. Monitoring: Monitor the vault's share price relative to the underlying asset price to detect potential manipulation

Technical Details

The vulnerability exists because in ERC4626 vaults, the relationship between shares and assets determines the exchange rate. In an empty vault with no protection mechanisms:

  1. The attacker deposits a minimal amount (e.g., 1 wei of the token) and receives 1 share
  2. The attacker then transfers a large amount directly to the vault (e.g., 100M tokens)
  3. This creates an exchange rate where 1 share ≈ 100M tokens
  4. A user depositing 1 token would receive 0 shares due to the inflated exchange rate

The protection mechanisms recommended above prevent this by ensuring the vault has enough tokens to dilute to make the share price increase by donation prohibitively expensive or by adding checks that would reject transactions with suspicious exchange rates.

Additional Resources

For more information on ERC4626 and the inflation attack vulnerability: