Skip to content

Emergency Procedures

This document outlines procedures for handling emergency situations related to Morpho Vaults, from dealing with unsafe markets to responding to a compromised role. These actions should be executed with extreme care, as they can have significant consequences for the vault and its depositors.

Please read the README section from the Morpho Vaults repository.

Unsafe Market: Soft Deprecation

This procedure is used when a market is deemed too risky for continued new allocations, but is still functioning correctly, allowing for a graceful exit.

The Goal

Safely withdraw all vault funds from the market without incurring losses, and prevent any new capital from being allocated to it.

Procedure via Direct Contract Calls

  1. Revoke Pending Caps: If there is a pending cap increase for the market, the Guardian, Curator, or Owner should call revokePendingCap to prevent it from being accepted.
  2. Set Cap to Zero: The Curator or Owner must immediately call submitCap with a newSupplyCap of 0. This is an instant action and prevents new funds from flowing into the market.
    • Pro Tip: To avoid front-running issues, it's best to batch the revokePendingCap and submitCap calls in a single transaction using a multicall function for instance.
  3. Reallocate Liquidity: The Allocator should call reallocate to withdraw all available liquidity from the market. If the market is illiquid, this may need to be done in stages as liquidity becomes available.
  4. Update Withdraw Queue: The Allocator should move the market to the beginning of the withdrawQueue to ensure any newly available liquidity is captured first.
  5. Complete Delisting: Once all funds have been withdrawn, the Allocator can remove the market entirely from the withdrawQueue by calling updateWithdrawQueue.

Procedure via the Curator App

The Curator App streamlines this process with a dedicated "Unsafe Market" emergency flow.

Morpho Vaults emergency actions interface

Executing this flow in a single transaction will:

  1. Revoke any pending cap changes for the target market.
  2. Set the market's supply cap to 0.
  3. Reallocate all currently available liquidity to the vault's designated Idle Market.
  4. Move the market to the first position in the withdrawQueue.

Market Reverts: Forced Removal

This procedure is for critical situations where a market is malfunctioning (e.g., its functions consistently revert), making it impossible to withdraw funds normally. This action involves accepting the loss of any capital stuck in the market.

The Goal

Remove a broken market from the vault's accounting to restore normal vault operations, even if it means losing the funds allocated to it.

Procedure via Direct Contract Calls

  1. Set Cap to Zero: As with a soft deprecation, the Curator must first set the market's cap to 0.
  2. Submit for Removal: The Curator or Owner must call submitMarketRemoval. This action is timelocked.
  3. Wait for Timelock: The mandatory waiting period must elapse.
  4. Update Withdraw Queue: After the timelock, the Allocator can call updateWithdrawQueue to permanently remove the market from the vault's configuration.

Procedure via the Curator App

The "Market Reverts" flow in the Curator App is designed for this scenario.

Morpho Vaults emergency actions interface

In a single transaction, this flow will:

  1. Revoke any pending cap changes for the market.
  2. Set the market's supply cap to 0.
  3. Call submitMarketRemoval to begin the timelocked process of forced deprecation.

After the timelock expires, the Allocator must still manually call updateWithdrawQueue to complete the removal.

Role Compromise Scenarios

Curator Takeover

If a Curator begins acting maliciously (e.g., submitting caps for unsafe markets), the Owner must intervene.

  1. Set a New Curator: The Owner should immediately call setCurator to transfer control to a new, trusted address.
  2. Revoke Pending Actions: The new Curator, Owner, or Guardian must call revokePendingCap on any malicious proposals submitted by the old curator.
  3. Remediate Accepted Actions: If a malicious cap was accepted before it could be revoked, the new Curator must follow the "Unsafe Market" procedure to safely exit the position.

Allocator Takeover

If an Allocator acts against the vault's strategy (e.g., by setting improper queues or reallocating funds incoherently), the Owner should:

  1. Revoke Allocator Privileges: Call setIsAllocator with the malicious address and false.
  2. Correct Queues: The Owner or a trusted Allocator must call setSupplyQueue and updateWithdrawQueue to restore the correct order.
  3. Reallocate Funds: Call reallocate to move funds back into alignment with the vault's intended strategy.