17 June 2022
Live since
KYC required
Maximum bounty
06 September 2023
Last updated

Program Overview

Morpho is a Peer-to-Peer layer on top of lending pools like Compound or Aave. Rates are seamlessly improved for both suppliers and borrowers whilst preserving the same liquidity and liquidation guarantees. In short, Compound Optimizer is an upgraded version of Compound, Aave Optmizers are upgraded version of Aave.

For more information about Morpho, please visit https://www.morpho.org.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.1 and its likelihood. The classification is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. For Morpho the “None” has been removed.

The likelihood can be asses with the following elements:

  • Very Likely: no capital required, atomic attack, no assumptions to be made
  • Likely: low capital required, simple attack, some low assumptions to be made
  • Unlikely: high capital required, attack over several blocks, relying on strong assumptions
  • Very Unlikely: very high capital required, attack over several blocks or very complex to perform, relying on very strong assumptions

Smart Contracts

Critical Up to USD 555 555

Very Likely$5,000.00$15,000.00$100,000.00$555,555.00
Very Unlikely$0$0$1,000.00$5,000.00

Websites and Applications

Critical USD 50 000

Very Likely$500.00$1,000.00$10,000.00$50,000.00
Very Unlikely$0$0$200.00$500.00

All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Rewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 55 555 for Critical smart contract bug reports.

Current and past contractors with Morpho Labs or the Morpho Association are not eligible for any rewards from this bug bounty program.

Morpho requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is a scan of a photo ID. Morpho will also request an invoice with your name, email address and crypto wallet address in order to payout the reward.

The following known issues are considered to be out of scope of this program:

  • Rounding errors.

  • COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.

  • Someone can repay on behalf of Morpho.

  • Relatively high gas consumption.

  • Extreme market turmoil vulnerability.

  • Some contracts are not set yet (eg: IncentivesVault).

  • Manipulation of the matching engine. Here are some examples:

    • Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
    • Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.
  • All other issues acknowledged in the audits in this repo: https://github.com/morpho-dao/morpho-v1/ and https://github.com/morpho-dao/morpho-aave-v3

Payouts are handled by the Morpho Labs team directly and are denominated in USD. However, payouts are done in USDC or DAI, at the discretion of the team.

Smart Contract

Up to USD $555,555
PoC Required
USD $15,000
PoC Required
USD $1,000
PoC Required

Websites and Applications

USD $50,000
PoC Required

Assets in scope

For proxy contracts, only the current implementation and any further updates to the implementation contracts are considered in scope.

All smart contracts of Morpho can be found at https://github.com/morpho-dao/morpho-v1 and https://github.com/morpho-dao/morpho-aave-v3. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

The DAO setup is also in scope, you can refer to Morpho’s documentation as a reference. Contracts implementation are not in scope though.

If any Critical or High severity impacts can be caused to any other asset managed by Morpho that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Loss of governance funds
  • Theft of unclaimed yield
  • Permanent freezing of unclaimed rewards
  • Temporary freezing of funds
  • Permanent freezing of funds
  • Smart contract unable to operate due to lack of token funds
  • Block stuffing for profit
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Infinite/unbounded gas consumptions, infinite loops

Websites and Applications

  • Substituting of the contract address

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks

Websites and Apps

  • Theoretical vulnerabilities without any proof or demonstration
  • Attacks requiring physical access to the victim device
  • Attacks requiring access to the local network of the victim
  • Reflected plain text injection ex: url parameters, path, etc.
    • This does not exclude reflected HTML injection with or without javascript
    • This does not exclude persistent plain text injection
  • Self-XSS
  • Captcha bypass using OCR without impact demonstration
  • CSRF with no state modifying security impact (ex: logout CSRF)
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
  • Server-side non-confidential information disclosure such as IPs, server names, and most stack traces
  • Vulnerabilities used only to enumerate or confirm the existence of users or tenants
  • Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
  • Lack of SSL/TLS best practices
  • DDoS vulnerabilities
  • Feature requests
  • Issues related to the frontend without concrete impact and PoC
  • Best practices issues without concrete impact and PoC
  • Vulnerabilities primarily caused by browser/plugin defects
  • Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc.
  • Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty

All contractors with Morpho Labs or with the Morpho Association cannot claim the bounty.