Risk & Security Documentation
By using Morpho or Morpho Vaults, you assume the risks associated. The following section provides an overview of different types of risks you should be aware of when using Morpho and Morpho Vaults. This overview is not exhaustive and may not cover all potential risks to which you might be exposed. Morpho is committed to use industry-leading security practices. Yet, there are still a number of risks associated with the use of Morpho and Morpho Vaults that users must be aware of.
Morpho Security practices
Morpho is known for its industry-leading security practices and follows a multi-faceted approach to security.
Morpho security practices include formal verification, mutation tests, fuzzing, unit testing, and peer reviews that can be found within respective Github repositories. External measures include professional security reviews, contests, and pre/post-deployment bounties.
A whole article was dedicated to the Morpho Security Framework.
Over time, Morpho has been audited 27 times by 12 different security firms. This covers Morpho Optimizers, Front-ends, Morpho Vaults and Morpho, and to our knowledge, makes Morpho the most audited project in the world.
Morpho Optimizers is renowned for achieving the highest score (98%) out of 300+ protocols on DeFiSafety, an independent rating agency that assesses how closely a protocol follows best practices.
Smart Contract Risk
There is an inherent risk that the protocol could contain a smart contract vulnerability or bug.
Several security measures are employed to mitigate this risk:
- Core contracts are immutable
- It is a simple and open-sourced code base that avoids complexities
- The code has been audited by multiple auditors, refer to the security reviews section
- Formal verification has been applied using Certora
- 2 ongoing bug bounty programs:
- Immunefi - $2,500,000 (Morpho & Morpho vaults)
- Cantina - $2,500,000 (Morpho & Morpho vaults)
Oracle Risk
Every Morpho market is connected to an oracle, established at market creation. It is important to understand that no oracle is immune to price manipulation, which can lead to liquidations or even bad debt. However, some oracles will be more resistant and resilient than others.
When assessing the reliability of an oracle, consider factors such as safety and liveness, particularly if the oracle is centralized. Also, take into account the settings and processes pertaining to the definition and frequency of price updates.
Counterparty Risk
Before entering a market, it's crucial to conduct thorough due diligence on the loan asset and the collateral asset to understand who holds power over them. Factors to consider include centralization, as a centralized governance could blacklist a specific user or even Morpho, resulting in a loss of funds. The distribution of the asset is also important, as a high concentration can cause extreme price fluctuations.
Liquidation Risk
Liquidation Risk (for borrowers)
Each Morpho market is linked to an immutable Liquidation Loan-to-Value (LLTV). If the Loan-To-Value of your position exceeds this LLTV, you will face liquidation. When borrowing on Morpho, carefully select the market and diligently manage the health of your position.
Bad Debt Risk (for lenders)
There could be circumstances in which the collateral's value for a position drops below the borrowed amount before liquidators can close the position. In such cases, the borrower holding this position has no incentive to repay the debt. Morpho has different mechanisms for accounting for bad debts. You can read more about it in the bad debt section.
Liquidity Risk (for lenders)
Liquidity refers to the access to supplied assets. A lack of liquidity can prevent suppliers from withdrawing their assets for a certain period of time. Liquidity issues are tackled through the interest rate model. Before providing liquidity, it's essential to understand the market's interest rate model. This understanding will help you estimate the level of liquidity you can expect in that market.
Morpho Vaults Specific Risks
Vault Governance Risks
Key roles within a Morpho Vault wield significant power, impacting user interests:
- The Owner has the ability to set performance fees, appoint curators and allocators, and adjust various other settings. Morpho Vaults impose a timelock on actions that may affect users' interests.
- The Curator can enable/disable markets. A timelock allows users to react to changes initiated by the curator.
- The Allocators determine markets supply/withdrawal order, influencing returns and liquidity for suppliers.
- The Guardian has the ability to revoke timelocked actions, providing an additional layer of protection for users.
When investing in a Morpho Vault, it is important to conduct thorough due diligence on the vault's settings and its allocation strategy, as well as to stay up to date with its changes.
Inflation Front-Running Attack Protection
Morpho Vaults (previously known as MetaMorpho vaults), like all ERC4626-compliant vaults, have a potential vulnerability to what is known as an "inflation front-running attack," particularly when the vault is newly created and empty. This vulnerability is explicitly mentioned in the Morpho Vault contract:
/// @inheritdoc IERC4626
/// @notice For tokens with 18 decimals, the protection against the inflation front-running attack is low. To
/// protect against this attack, vault deployers should make an initial deposit of a non-trivial amount in the vault
/// or depositors should check that the share price does not exceed a certain limit.
What is an Inflation Front-Running Attack?
This attack works as follows:
- An attacker sees a pending transaction where a user intends to deposit into an empty (or nearly empty) vault
- The attacker front-runs the transaction with a minimal deposit followed by a large donation directly to the vault
- This artificially inflates the share price of the vault
- When a user’s deposit execute and is small enough, they receive significantly fewer shares than expected
- The attacker, as the majority shareholder, can benefit from this manipulation if more than one user deposit receives fewer shares than expected
This vulnerability is most pronounced for tokens with 18 or more decimals, where the DECIMALS_OFFSET
in the MetaMorpho contract is zero.
Protection Strategies
For Vault Deployers
Initial Deposit Strategy (Recommended)Vault deployers should make an initial deposit of a non-trivial amount immediately after creating the vault:
- Deposit at least 0.1 tokens (1e17 in base units for an 18 decimal token) as soon as the vault is created
- This initial deposit can be implemented in two ways:
- Permanent Protection (Preferred): Deposit to a burn address like
0x0000000000000000000000000000000000000001
or a multisig that will not withdraw the funds, ensuring the deposit permanently stays in the vault. - Temporary Protection: Deposit temporarily until at least 0.1 tokens from other depositors enters the vault, though note this leaves the vault vulnerable if it later becomes empty again.
- Permanent Protection (Preferred): Deposit to a burn address like
// Example of making an initial "protection" deposit to a burn address
vault.deposit(1e17, address(0x0000000000000000000000000000000000000001));
For Users and Integrators
Share Price VerificationUsers depositing into vaults should implement checks to prevent falling victim to this attack:
- For New or Low-Liquidity Vaults: Implement a maximum share price check with slippage protection:
// Example protection for users
uint256 maxAcceptableSharePrice = 1e27 * 1.0001; // Slightly above the expected 1:1 ratio
require(vault.previewDeposit(amount) >= computeExpectedShares(amount, maxAcceptableSharePrice));
- For Established Vaults: Standard slippage checks are typically sufficient, but should still be used
Risk Assessment by Token Decimals
The potential impact of an inflation attack varies based on token decimals and deposit sizes. With a "dead deposit" (deposit done by the curator) and assuming an extreme attack donation of up to 10M tokens, here are the details:
Token Decimals | Example | Dead Deposit | Minimum Deposit Size | Maximum Loss |
---|---|---|---|---|
6 decimals | USDC | 0.1 | > 0.01 tokens | < 0.01% |
7 decimals | 0.01 | > 0.001 tokens | < 0.01% | |
≥8 decimals | Most ERC20s | 0.001 | > 0.0001 tokens | < 0.01% |
E.g for tokens with 6 decimals, with a 0.1 token protection deposit, users making deposits larger than 0.01 tokens will lose less than 0.01% of their deposit value, even with an extreme attack of 10M tokens.
Best Practices for MetaMorpho Vault Curators
- Initial Protection: Always make an initial deposit of at least 0.1 tokens immediately after vault creation, preferably to a burn address
- Timelock + Protection: Implement both a 3-day timelock AND a 0.1 token initial deposit for optimal security
- Monitoring: Monitor the vault's share price relative to the underlying asset price to detect potential manipulation
Technical Details
The vulnerability exists because in ERC4626 vaults, the relationship between shares and assets determines the exchange rate. In an empty vault with no protection mechanisms:
- The attacker deposits a minimal amount (e.g., 1 wei of the token) and receives 1 share
- The attacker then transfers a large amount directly to the vault (e.g., 100M tokens)
- This creates an exchange rate where 1 share ≈ 100M tokens
- A user depositing 1 token would receive 0 shares due to the inflated exchange rate
The protection mechanisms recommended above prevent this by ensuring the vault has enough tokens to dilute to make the share price increase by donation prohibitively expensive or by adding checks that would reject transactions with suspicious exchange rates.
Additional Resources
For more information on ERC4626 and the inflation attack vulnerability: