Emergency Procedures
This document outlines procedures for handling emergency situations related to Morpho Vaults, from dealing with unsafe markets to responding to a compromised role. These actions should be executed with extreme care, as they can have significant consequences for the vault and its depositors.
Please read the README section from the Morpho Vaults repository.
Unsafe Market: Soft Deprecation
This procedure is used when a market is deemed too risky for continued new allocations, but is still functioning correctly, allowing for a graceful exit.
The Goal
Safely withdraw all vault funds from the market without incurring losses, and prevent any new capital from being allocated to it.
Procedure via Direct Contract Calls
- Revoke Pending Caps: If there is a pending cap increase for the market, the
Guardian
,Curator
, orOwner
should callrevokePendingCap
to prevent it from being accepted. - Set Cap to Zero: The
Curator
orOwner
must immediately callsubmitCap
with anewSupplyCap
of0
. This is an instant action and prevents new funds from flowing into the market.- Pro Tip: To avoid front-running issues, it's best to batch the
revokePendingCap
andsubmitCap
calls in a single transaction using amulticall
function for instance.
- Pro Tip: To avoid front-running issues, it's best to batch the
- Reallocate Liquidity: The
Allocator
should callreallocate
to withdraw all available liquidity from the market. If the market is illiquid, this may need to be done in stages as liquidity becomes available. - Update Withdraw Queue: The
Allocator
should move the market to the beginning of thewithdrawQueue
to ensure any newly available liquidity is captured first. - Complete Delisting: Once all funds have been withdrawn, the
Allocator
can remove the market entirely from thewithdrawQueue
by callingupdateWithdrawQueue
.
Procedure via the Curator App
The Curator App streamlines this process with a dedicated "Unsafe Market" emergency flow.

Executing this flow in a single transaction will:
- Revoke any pending cap changes for the target market.
- Set the market's supply cap to
0
. - Reallocate all currently available liquidity to the vault's designated Idle Market.
- Move the market to the first position in the
withdrawQueue
.
Market Reverts: Forced Removal
This procedure is for critical situations where a market is malfunctioning (e.g., its functions consistently revert), making it impossible to withdraw funds normally. This action involves accepting the loss of any capital stuck in the market.
The Goal
Remove a broken market from the vault's accounting to restore normal vault operations, even if it means losing the funds allocated to it.
Procedure via Direct Contract Calls
- Set Cap to Zero: As with a soft deprecation, the
Curator
must first set the market's cap to0
. - Submit for Removal: The
Curator
orOwner
must callsubmitMarketRemoval
. This action is timelocked. - Wait for Timelock: The mandatory waiting period must elapse.
- Update Withdraw Queue: After the timelock, the
Allocator
can callupdateWithdrawQueue
to permanently remove the market from the vault's configuration.
Procedure via the Curator App
The "Market Reverts" flow in the Curator App is designed for this scenario.

In a single transaction, this flow will:
- Revoke any pending cap changes for the market.
- Set the market's supply cap to
0
. - Call
submitMarketRemoval
to begin the timelocked process of forced deprecation.
After the timelock expires, the Allocator
must still manually call updateWithdrawQueue
to complete the removal.
Role Compromise Scenarios
Curator Takeover
If a Curator
begins acting maliciously (e.g., submitting caps for unsafe markets), the Owner
must intervene.
- Set a New Curator: The
Owner
should immediately callsetCurator
to transfer control to a new, trusted address. - Revoke Pending Actions: The new
Curator
,Owner
, orGuardian
must callrevokePendingCap
on any malicious proposals submitted by the old curator. - Remediate Accepted Actions: If a malicious cap was accepted before it could be revoked, the new
Curator
must follow the "Unsafe Market" procedure to safely exit the position.
Allocator Takeover
If an Allocator
acts against the vault's strategy (e.g., by setting improper queues or reallocating funds incoherently), the Owner
should:
- Revoke Allocator Privileges: Call
setIsAllocator
with the malicious address andfalse
. - Correct Queues: The
Owner
or a trustedAllocator
must callsetSupplyQueue
andupdateWithdrawQueue
to restore the correct order. - Reallocate Funds: Call
reallocate
to move funds back into alignment with the vault's intended strategy.