Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Security Considerations for Vault Curators

This document outlines important security considerations and best practices for Morpho Vault curators. It covers vault-specific security topics that are most relevant to curators and advanced users.

Faulty Oracles

Supplying liquidity in a market with a faulty oracle (one that overestimates the collateral's price) will lead to a loss of funds because health computations and liquidations will not work correctly.

Donation-Based Inflation Manipulation (Vaults V1 only)

Morpho Vaults V1 (versions 1.0 and 1.1) have a critical additional edge case. When a vault lists a market whose oracle reports a price significantly above the true market price, specifically, when collateral tokens can be acquired below oraclePrice × LLTV, the entire vault can be at risk through the following steps:

  1. Acquire shares in the vault (by supplying, if the supply queue is not empty).
  2. Donate assets to the vault on the broken market (via supply on behalf of the vault), inflating the vault's share price.
  3. Buy collateral tokens cheaply (below the oracle price) and borrow against them on the broken market to recoup the donation.
  4. Finally, withdraw their now-inflated vault position, effectively draining other depositors.

An attacker can repeat this in small batches.

Loss bound: The maximum loss equals the total debt that can be taken using collateral acquired below oraclePrice × LLTV × σ, where σ is the attacker's share of the vault's total supply. If the supply queue is not empty, σ can approach 1, and the threshold simplifies to oraclePrice × LLTV.

Vault V2 Exposure

Vaults V2 are not affected by this edge case when supplying directly to Morpho Variable Rate Markets using the MorphoMarketV1AdapterV2.

However, if a Vault V2 supplies to a Vault V1 via the MorphoVaultV1Adapter, it is exposed up to its allocation to that Vault V1.

Recommendation: Curators using Vault V1 adapters should use Market V1 adapters.

Prevention

  1. Choose oracles carefully to minimize the risk of price divergence between the oracle and the true market price. Be especially cautious with NAV-based oracles updated by the token issuer, these can diverge from DEX prices during exploit scenarios.
  2. Remove unused markets from the withdrawal queue, even if the cap is zero. A market in the withdrawal queue with cap zero is still vulnerable. Only removing it from the withdrawal queue fully eliminates the risk.
  3. Deploy automated monitoring that detects when oracle prices diverge from market prices.
  4. Build or adopt an automated kill switch that empties the supply queue when a significant oracle deviation is detected. This is the single most effective automated mitigation.
  5. Use Vaults V2 with Market V1 Adapter as described above.

Response (If a faulty oracle situation occurs)

Step 1: Immediate: Pause deposits by emptying the supply queue (removing all markets including idle). This prevents anyone from getting new shares and increasing their σ. Curators can automate this: have an allocator that automatically empties the supply queue when any market listed by the vault reports an oracle price that is significantly above the market price.

Step 2: Remove the affected market from the withdrawal queue as quickly as possible:

  • If the vault holds zero shares in the market, remove it instantly.
  • If the market is liquid, withdraw all shares and then remove it instantly.
  • If the market is illiquid, initiate forced removal and execute it once the timelock expires.

Credit to Madiha for helping the Morpho team identify and provide these security guidelines to vault curators.

Adapter Removal Frontrunning

When a curator submits a removeAdapter proposal, the removal is timelocked. During this window, an allocator can still call allocate on the adapter. Since removeAdapter does not revert when the adapter holds assets, any funds allocated after the removal submission will be silently lost when the removal executes.

Before delisting, follow the full Adapter Soft Deprecation procedure, which covers both deallocating existing funds and zeroing caps to prevent frontrunning.

Reverting Oracle

When an oracle reverts (e.g., due to underlying feed deprecation by the provider), the market enters a degraded state. Some operations stop working, but users are not permanently stuck.

What Still Works

FunctionWorks?Notes
supplyNo price check needed
withdrawNo price check needed
repayNo price check needed
supplyCollateralNo price check needed
borrowRequires price → reverts
withdrawCollateral⚠️Only if borrower has exactly 0 borrow shares
liquidateRequires price → reverts

How Users Can Exit

Lenders: Withdraw normally, no issue (provided borrowers repayements grant enough available liquidity)

Borrowers:
  1. Repay the full debt (must reach exactly 0 borrow shares)
  2. Then withdraw collateral

If even 1 borrow share remains, withdrawCollateral will revert because it triggers a health check.

Liquidators: Cannot liquidate, the function requires the oracle.

What Curators can do

  1. Set supply cap to 0 to prevent new allocations
  2. Contact the feed provider: request they restore the feed temporarily or provide stale prices so users can exit
  3. Notify affected borrowers to repay and exit
  4. If unrecoverable, use the "Market Reverts" emergency flow for Morpho Vaults V1 in the Curator App (see Emergency Procedures)

Prevention

When selecting oracles and feeds, prefer providers with clear deprecation policies. Ideally, deprecated feeds should return stale prices rather than revert, this allows orderly market wind-down instead of an emergency situation.

Vault as asset

In this section, we outline security considerations and recommendations for listing 4626 vaults as an asset, collateral, or loan asset.

Vault as collateral

Liquid & flashloanable 4626 assets with share price decrease

ERC4626 vaults with the following properties can incur a loss of funds.

  • Most of the shares of the vault can be flash loaned.
  • Most of the vault is liquid.
  • The vault's share price can decrease notably and instantly.

This is not specific to Morpho but a general statement for all ERC4626 vaults. Since assets deposited on Morpho can always be flash loaned, it is important to keep in mind.

The loss is bounded by:

totalLossδ11min(AWA,SLS)totalLoss \le \delta\frac{1}{1-\min(\frac{A_W}{A}, \frac{S_L}{S})}

where:

  • The loss on the vault (that creates the share price decrease):
δ\delta
  • The liquid portion of the vault:
AWA\frac{A_W}{A}
  • The loanable portion of the vault:
SLS\frac{S_L}{S}

Recommendations for Morpho Vaults used as collateral

For Morpho Vaults with bad debt realization (created with the MetaMorpho Factory V1.0), the share price can decrease in the event of a bad debt realization in one of the listed markets. If the vault is highly liquid, the supply queue has a specific order, and most of the shares can be flashloaned, then the liquidator of the market could amplify bad debt realized by the vault. Since using vaults as collateral increases the proportion of the vault that can be flashloaned, it could favor this amplification. Although very unlikely, it is thus not recommended using those vaults as collateral.

For Morpho vaults without bad debt realization (created with the MetaMorpho Factory V1.1), the share price of the vault can't decrease, and the above-described scenario can't happen. That said, the vault users won't have bad debt realized in their vault.

Credit to 100proof on helping the Morpho team providing those security guidelines to vault curators.

Vault as loan asset

Pricing method

One of the main considerations when onboarding an asset is what price it should have. A natural way to price vault shares is by using the exchange rate (supported by the Morpho Oracle V2). We summarise here the risks associated with using this pricing method and recommendations when doing so.

Manipulations & share price changes

General manipulations of an ERC4626 are detailed in an Euler article. Additionally, we should take into account the other possible ways that the share price of a vault can change.

We have in the general case:

  1. donations in general to ERC4626 vaults can cause a sudden price increase. Vaults can have mitigations to this, but most are vulnerable. Morpho Vaults can be affected because of supply on behalf.

  2. rounding errors (including stealth donations) can change the share price. They are not expected to be significant, including for Morpho Vaults when the vault has a large enough total assets.

And the ones specific to each vaults. For example in Morpho vaults:

  1. “economic”, known scenarios could decrease the share price on Morpho Vaults. They should be accepted by the user for what they are, so they are not considered as blocking. It includes bad debt realization for Morpho Vaults V1.0 (note that public reallocation can be an aggravating factor in this scenario) and forced market removal.

The price change by donation causes a price increase, so it naturally is an issue for listing a vault as a loan asset. In particular, it leads to:

  • the possibility of a future attack like the Cream hack, as soon as the position of those shares is priced
  • liquidations having an extra incentive that is extremely difficult to mitigate, resulting in borrowers taking unpredictable risks (or not joining at all).
Because of those risks, it is not recommended to list any ERC4626 vault as a loan asset in a Morpho market at the moment.

Inflation Front-Running Attack Protection

Morpho Vaults V1, like all ERC4626-compliant vaults, have a potential vulnerability to what is known as an "inflation front-running attack," particularly when the vault is newly created and empty. This vulnerability is explicitly mentioned in the Morpho Vault contract:

/// @inheritdoc IERC4626
/// @notice For tokens with 18 decimals, the protection against the inflation front-running attack is low. To
/// protect against this attack, vault deployers should make an initial deposit of a non-trivial amount in the vault
/// or depositors should check that the share price does not exceed a certain limit.

What is an Inflation Front-Running Attack?

This attack works as follows:

  1. An attacker sees a pending transaction where a user intends to deposit into an empty (or nearly empty) vault
  2. The attacker front-runs the transaction with a minimal deposit followed by a large donation directly to the vault
  3. This artificially inflates the share price of the vault
  4. When a user’s deposit execute and is small enough, they receive significantly fewer shares than expected
  5. The attacker, as the majority shareholder, can benefit from this manipulation if more than one user deposit receives fewer shares than expected

This vulnerability is most pronounced for tokens with 18 or more decimals, where the DECIMALS_OFFSET in the Morpho Vault V1 contract is zero.

Best Practices for Morpho Vault Curators

  1. Initial Protection: Always make an initial deposit of at least 1e9 shares (or 1e12 shares for assets with less than 9 decimals) immediately after vault and market creation on behalf of the address 0x000000000000000000000000000000000000dEaD. Ensure that all of the markets that the vault allocates to have this deposit as well.
  2. Timelock: Implement a 3-day timelock to give enough time to review any new markets before adding them to the vault's allocation.
  3. Monitoring: Monitor the vault's share price relative to the underlying asset price to detect potential manipulation

Technical Details

The vulnerability exists because in ERC4626 vaults, the relationship between shares and assets determines the exchange rate. In an empty vault with no protection mechanisms:

  1. The attacker deposits a minimal amount (e.g., 1 wei of the token) and receives 1 share
  2. The attacker then transfers a large amount directly to the vault (e.g., 100M tokens)
  3. This creates an exchange rate where 1 share ≈ 100M tokens
  4. A user depositing 1 token would receive 0 shares due to the inflated exchange rate

The protection mechanisms recommended above prevent this by ensuring the vault has enough tokens to dilute to make the share price increase by donation prohibitively expensive or by adding checks that would reject transactions with suspicious exchange rates.

Additional Resources

For more information on ERC4626 and the inflation attack vulnerability: