MAINNETBETA

morpho.org

morpho.org
4.8MODERATEmedium
6 sectionsrun #6
Findings12 high18 medium
DEPGOVTKNAUDCTR
Last analyzed 16d ago runs

Summary

Morpho is a modular lending protocol with ~$6.5B TVL across 37+ EVM chains, built around immutable Morpho Blue core markets and curator-managed vaults. The lending logic itself has never been directly exploited and carries tier-1 audit coverage plus Certora formal verification, but governance is concentrated in a 5-of-9 multisig with no protocol-wide timelock, permissionless oracle selection has produced recurring market-level losses (~$480K in Oct 2024), and seven cross-chain deployments lack block-explorer verification. Overall risk is moderate (4.8/10).

Trust Assumptions

Depositors trust that the 5-of-9 governance multisig (0xcBa28…9AFa on Ethereum/Base) will honor off-chain Snapshot votes and not unilaterally upgrade the MORPHO token, reconfigure LayerZero bridge peers, or raise protocol fees without community notice. Users in specific Morpho Blue markets must trust that each market's oracle—often a permissionless MorphoChainlinkOracleV2 wrapping Chainlink feeds without staleness checks—is correctly configured by the market creator or vault curator. Vault depositors additionally trust individual curators and owners to set safe collateral parameters, timelocks, and adapter allowlists independent of protocol governance.

What Could Go Wrong

A misconfigured or manipulable oracle on a permissionless market could again enable undercollateralized borrowing, as seen in the Oct 2024 PAXG/USDC exploit (~$230K) and May 2025 Aerodrome LP manipulation (~$49K bad debt). A compromise of five multisig signers would allow immediate, timelock-free upgrades to the MORPHO token proxy, fee-parameter changes on Morpho Blue, and LayerZero setPeer reconfiguration that could mint unbacked cross-chain tokens. Third-party contagion—such as the Mar 2026 Resolv USR depeg affecting ~15 vaults via Public Allocator automation—can route vault capital into broken markets even when core contracts operate as designed.

Recommendation

Morpho Blue core lending is suitable for institutional-scale allocation when users stick to well-audited vaults and markets with established Chainlink oracles and reputable curators (e.g., Coinbase, Gemini integrations). Avoid obscure permissionless markets with custom oracles. Monitor multisig signer composition, cross-chain contract verification status (7 of 26 tracked instances remain unverified), MORPHO vesting unlocks (~11.6M tokens/month through April 2028), and any governance proposal to activate the fee switch or upgrade token logic. Reduce exposure to vaults with aggressive Public Allocator automation during external stablecoin or bridge stress events.

Key Findings (30)

high
Unverified Morpho Blue on Baseverification
high
Unverified Morpho ChainlinkOracleV2 Factory on Arbitrumverification
high
Unverified MetaMorpho Factory Alt on Ethereumverification
high
Unverified VaultV2Factory on Arbitrumverification
high
Unverified Bundler3 on Baseverification
high
Unverified MORPHO LayerZero OFT on Arbitrumverification
high
Unverified Governance Multisig on Baseverification
high
No Timelock on Governance Multisig Executiontimelock
high
Upgradeable MORPHO Token Controlled by Governance Multisigcentralization
high
Permissionless Oracle Selection With No Protocol-Level Safeguardsoracle
high
June 2023 AaveV3-ETH Optimizer Index Caching Vulnerabilityincident
high
October 2024 LeadBlock PAXG/USDC Oracle Misconfigurationincident
medium
MORPHO Token Uses UUPS Upgradeable Proxyupgradability
medium
Morpho Blue Owner Has Fee and Whitelist Powersaccess-control
medium
LayerZero Bridge Adapters Have Owner-Controlled Peer Configurationbridge
medium
Permissionless Market Creation With Oracle Riskarchitecture
medium
Cross-Chain Safe Address Asymmetry on Arbitrumcross-chain
medium
Off-Chain Snapshot Voting Without On-Chain Enforcementgovernance-process
medium
LayerZero Bridge Under Multisig Control With Active Suspensionbridge
medium
Rewards Multisig Configuration Differs From Discovery Labeldocumentation
medium
Heavy Allocation to Foundation, Investors, and Insidersconcentration
medium
Significant Vesting Unlock Pressure Through 2028vesting
medium
No Value Capture — Fee Switch Never Activatedutility
medium
Discretionary DAO Reward Emissions from Treasuryemission
medium
Upgradeable Token Contract and Low Governance Participationgovernance
medium
Chainlink Feeds Without Staleness or Bounds Checksoracle
medium
ERC4626 Vault Pricing Dependency in Oraclesoracle
medium
LayerZero OFT Bridge Paused on Arbitrum (Peers Zeroed)bridge
medium
LayerZero setPeer Controlled by Multisig (Not EOA)bridge
medium
7 Unverified Cross-Chain Deployments Block Source Verificationverification-gap

Analysis Sections

Morpho uses off-chain Snapshot voting (500k MORPHO threshold) with on-chain execution by a verified 5-of-9 Gnosis Safe at 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa on Ethereum and Base. Core Morpho Blue lending logic is immutable; governance controls IRM/LLTV whitelisting, fee switches, the upgradeable MORPHO token, LayerZero bridge config, and MorphoRegistry. No protocol-wide timelock protects multisig actions. Arbitrum Morpho Blue is owned by a separate Safe deployment (0xfd358f49678bd408fbce0cf6bb9dfa5857d5d9b2) with identical 5/9 signers.

Findings (9)

highNo Timelock on Governance Multisig Execution

The primary 5/9 Gnosis Safe can execute privileged actions immediately once threshold signatures are collected. There is no on-chain TimelockController or Safe module enforcing a delay between vote passage and execution. This applies to Morpho Blue owner functions (enableIrm, enableLltv, setFee, setFeeRecipient), MORPHO token upgrades, LayerZero bridge configuration, and MorphoRegistry updates.

on-chain RPCgetThreshold() on 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa returns 5; getModules() reverts (no timelock module detected)
contract sourceMorpho Blue onlyOwner functions (setOwner, enableIrm, enableLltv, setFee, setFeeRecipient) have no timelock modifier in 0xbbbbbbbbbb9cc5e90e3b3af64bdaf62c37eeffcb.sol
highUpgradeable MORPHO Token Controlled by Governance Multisig

The MORPHO token on Ethereum (0x58D97B57BB95320F9a05dC918Aef65434969c2B2) is an ERC1967 upgradeable proxy. owner() resolves to the governance multisig, granting the ability to upgrade token logic without a timelock. Base MORPHO (0xBAa5CC21fd487B8Fcc2F632f3F4E8D37262a0842) shares the same owner.

on-chain RPCowner() on MORPHO proxy returns 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa; implementation slot 0x4364fd2371b6318159366abfa51f190df5c24852
contract sourceERC1967Proxy with upgradeToAndCall in 0x58d97b57bb95320f9a05dc918aef65434969c2b2.sol
mediumCross-Chain Safe Address Asymmetry on Arbitrum

While Ethereum and Base share the canonical governance multisig at 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa (verified 5/9, identical signers), Arbitrum Morpho Blue owner() points to a distinct Safe at 0xfd358f49678bd408fbce0cf6bb9dfa5857d5d9b2. On-chain verification confirms this Arbitrum Safe has the same 9 owners and threshold of 5, but the address divergence increases operational risk and audit surface across 37+ deployed chains where ownership may not be uniformly verified.

on-chain RPCMorphoBlue_arb owner() = 0xfd358f49678bd408fbce0cf6bb9dfa5857d5d9b2; getThreshold() = 5; getOwners() returns same 9 addresses as canonical multisig
discovery.jsonProtocol deployed across 37+ EVM chains; governance multisig only listed for ethereum and base
mediumOff-Chain Snapshot Voting Without On-Chain Enforcement

Governance proposals are voted on via Snapshot (morpho.eth space) with a 500k MORPHO proposal threshold, but execution relies on the 5/9 multisig voluntarily honoring off-chain results. There is no on-chain Governor contract binding vote outcomes to execution, creating a trust gap between token-holder signaling and privileged on-chain actions.

protocol docsdocs.morpho.org: MORPHO token holder voting via Snapshot; 500k MORPHO proposal threshold; 5/9 multisig execution
on-chain RPCNo Governor/TimelockController contract identified at listed governance addresses
mediumLayerZero Bridge Under Multisig Control With Active Suspension

The Ethereum LayerZero OFT adapter (0x50d3d6fD7518682155E3C1B65FDD50e1b35649D9) owner() is the governance multisig, granting setPeer, setDelegate, and rate-limit configuration powers. The Arbitrum bridge was proactively suspended following the April 2026 Kelp DAO/LayerZero incident, indicating ongoing operational dependency on multisig discretion for cross-chain MORPHO transfers.

on-chain RPCowner() on 0x50d3d6fD7518682155E3C1B65FDD50e1b35649D9 returns 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa
discovery.json2026-04-19 incident: MORPHO LayerZero OFT bridge on Arbitrum paused; remains suspended
contract sourcesetPeer, setDelegate, setRateLimits are onlyOwner in LayerZero OApp contracts
mediumRewards Multisig Configuration Differs From Discovery Label

Discovery labels the Ethereum rewards multisig as 3/5, but on-chain verification shows 0xF057afeEc22E220f47AD4220871364e9E828b2e9 is a 3-of-7 Gnosis Safe. Base rewards multisig (0x5Eb982bb1E620cC3927E5CF8A5D207e667643297) is correctly 3/5. Documentation inconsistency reduces transparency for rewards distribution governance.

on-chain RPCrewardsMultisig_eth getThreshold() = 3, getOwners() length = 7; rewardsMultisig_base getThreshold() = 3, getOwners() length = 5
discovery.jsonListed as MORPHO Rewards Multisig (3/5) for both ethereum and base
infoMorpho Blue Core Lending Logic Is Immutable

Morpho Blue market logic (supply, borrow, liquidate, flashLoan) has no upgrade path. The owner role is limited to whitelisting IRMs and LLTVs, setting per-market fees (capped at 25%), changing fee recipient, and transferring ownership. Market creation is permissionless once IRM/LLTV/oracle are enabled.

contract sourceonlyOwner restricted to setOwner, enableIrm, enableLltv, setFee, setFeeRecipient in Morpho.sol; createMarket is permissionless
on-chain RPCMorphoBlue_eth owner() = 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa; MorphoBlue_base owner() = same
infoFactory and Periphery Contracts Are Permissionless

MetaMorpho Factory, Oracle Factory, VaultV2 Factory, and PublicAllocator have no protocol-level owner. Anyone can deploy vaults, oracles, and use the public allocator. Risk is compartmentalized to individual vault curators/owners who set their own timelocks and roles.

contract sourceMetaMorphoV1_1Factory, MorphoChainlinkOracleV2Factory, VaultV2Factory have no owner(); PublicAllocator uses per-vault admin mapping
on-chain RPCowner() reverts on OracleFactory, MetaMorphoFactory, VaultV2Factory, PublicAllocator
infoVault-Level Curator/Owner Model With Per-Function Timelocks

MetaMorpho V1.1 and Vault V2 vaults delegate risk management to per-vault owners, curators, allocators, and sentinels. Vault V2 supports configurable timelocks per function selector and abdication of privileged roles. This isolates vault risk from protocol governance but means depositors must assess individual vault governance.

contract sourceMetaMorphoV1_1: owner, curator, guardian, timelock with pending state; VaultV2: mapping(bytes4 => uint256) timelock, owner/curator/allocator roles

Governance Checklist

Multisig (not EOA)5/9 Gnosis Safe verified on-chain at 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa (ETH & Base)
Timelock on upgradesNo protocol-wide timelock; multisig executes immediately
On-chain governanceSnapshot off-chain voting only; multisig is execution layer
Core lending immutableMorpho Blue market logic non-upgradeable
Cross-chain governance unifiedSame signers on Arbitrum but different Safe address; 37+ chains largely unverified

Verified Multisig Configuration

MultisigChainAddressThresholdOwners
GovernanceEthereum0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa5/99 (verified on-chain)
GovernanceBase0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa5/99 (same signers as ETH)
Morpho Blue OwnerArbitrum0xfd358f49678bd408fbce0cf6bb9dfa5857d5d9b25/99 (same signers, different Safe)
RewardsEthereum0xF057afeEc22E220f47AD4220871364e9E828b2e93/77 (verified on-chain)
RewardsBase0x5Eb982bb1E620cC3927E5CF8A5D207e6676432973/55 (verified on-chain)

On-Chain Ownership Map (Verified Contracts)

ContractChainControllerType
Morpho BlueEthereum0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa5/9 Multisig
Morpho BlueBase0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa5/9 Multisig
Morpho BlueArbitrum0xfd358f49678bd408fbce0cf6bb9dfa5857d5d9b25/9 Multisig (distinct address)
MORPHO TokenEthereum0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa5/9 Multisig (upgradeable proxy)
MORPHO TokenBase0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa5/9 Multisig
LayerZero OFT AdapterEthereum0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa5/9 Multisig
MorphoRegistryEthereum0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa5/9 Multisig
Oracle/MetaMorpho/VaultV2 FactoriesEthereumNonePermissionless
PublicAllocatorEthereumNone (per-vault admin)Permissionless

Governance Metrics

Execution Multisig Threshold
5 of 9
Proposal Threshold
500,000 MORPHO
Protocol Timelock
None
Voting Mechanism
Snapshot (off-chain)
Core Contract Upgradeability
Immutable (Morpho Blue)

Analysis History

#6completed4.816d agocurrent#5failed16d ago#4failed16d ago#3failed16d ago#2failed16d ago#1failed16d ago