Morpho V1 (Morpho Blue + MetaMorpho)

DeploymentsEthereum · $3.3B

Risk profile at a glance

0 red · 3 yellow · 9 green

Categories & evidence

184 factors · 13 categories

Code & audits Green 4 25 of 25

RD-F-002 yellow Audit recency Most recent audit of any deployed code is ~546 days ago (Nov 2024 OZ+Spearbit on MetaMorpho v1.1); Morpho Blue core immutable singleton last audited Jan 2024 (~1185 days), though immutability makes re-audit structurally unnecessary. RD-F-003 yellow Resolved-without-proof findings No known evidence of findings marked resolved without on-chain proof; release tag progression (alpha->beta->v1.0.0) indicates iterative fix application; full PDF review not completed due to binary PDF access limitations. RD-F-010 yellow Static-analyzer high-severity count No live Slither/Mythril run performed; Certora formal verification and multiple pre-launch audits substantially substitute but formal static-analysis output is unavailable; gap flagged as needing tool run. RD-F-021 n/a UUPS _authorizeUpgrade correctly permissioned Morpho Blue is a non-proxy standalone singleton; MetaMorpho vaults are deployed via constructor (not UUPS); _authorizeUpgrade is not present in any core contract. RD-F-023 n/a Constructor calls _disableInitializers() Morpho Blue and MetaMorpho use plain constructors (not upgradeable proxy patterns); _disableInitializers() is an OZ pattern for UUPS implementation contracts and does not apply here.

RD-F-001 green Audit scope mismatch Morpho Blue v1.0.0 tag (SHA 55d2d99) corresponds to Dec 2023 deploy; Etherscan shows exact-match verified source for 0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb; post-audit commits are CI/docs only.

RD-F-004 green Audit count At least 4 distinct audit firms across 11 engagements: OpenZeppelin (3x), Spearbit/Cantina (4x+), Cantina competition (2x), ABDK (1x). Core Morpho Blue singleton audited by OZ and Spearbit pre-launch.

RD-F-005 green Audit firm tier OpenZeppelin (Tier-1) and Spearbit (Tier-1) both audited the core Morpho Blue singleton pre-launch; Cantina managed reviews also Tier-1/2; ABDK is Tier-2. At least two Tier-1 firms confirmed.

RD-F-006 green Audit-to-deploy gap Gap between last pre-launch audit (Spearbit/Cantina managed Nov 2023) and mainnet deploy (Dec 28, 2023) is approximately 45 days, within the ≤60 days green threshold.

RD-F-007 green Bug bounty presence & max payout Active Immunefi program with $2.5M max payout for Morpho Blue smart contracts (10% of funds at risk); MetaMorpho covered at $1.5M max; program live since mid-2024.

RD-F-008 green Ignored bounty disclosure No evidence of ignored bounty disclosure; Oct 2024 incident was market-level oracle misconfiguration (not protocol vulnerability); Apr 2025 was frontend-only with $0 net loss.

RD-F-009 green Formal verification coverage Certora formal verification covers 11 specification files including reentrancy safety, financial integrity, share accounting, authorization, market independence, and liveness; Halmos also used. Systematic coverage across all major protocol functions.

RD-F-011 green SELFDESTRUCT reachable from non-admin path No SELFDESTRUCT opcode in Morpho.sol; Certora formal verification explicitly confirms no delegatecall ensuring contract immutability; no admin-callable selfdestruct path exists.

RD-F-012 green delegatecall with user-controlled target No delegatecall in Morpho.sol; Certora formal verification explicitly confirms no delegatecall to other contracts, ensuring contract immutability and no user-controlled delegatecall vector.

RD-F-013 green Arbitrary call with user-controlled target Morpho.sol uses only typed IERC20 interface calls on market-defined token addresses; callbacks invoke msg.sender (the caller themselves), not an arbitrary user-supplied target; no unconstrained external call with user-controlled target+data.

RD-F-014 green Reentrancy guard on external-calling functions Certora formal verification (reentrancySafe rule) explicitly proves Morpho Blue is not vulnerable to reentrancy attacks via storage-call-storage pattern analysis; no standard nonReentrant modifier but formal proof provides stronger assurance.

RD-F-015 green ERC-777/1155/721 hook without reentrancy guard Morpho.sol integrates only standard ERC-20 IERC20 interface; no ERC-777, ERC-1155, or ERC-721 callback integrations present in the core singleton; no unguarded callback hook exposure.

RD-F-016 green Divide-before-multiply pattern Morpho Blue uses mulDivUp() and mulDivDown() utility functions (multiplication before division); no divide-before-multiply pattern identified in source inspection or audit findings.

RD-F-017 green Mixed-decimals math without explicit scaling Morpho Blue share-based accounting operates per-market with market-specific token pairs; share mathematics is self-consistent within each isolated market; no cross-decimal arithmetic issue identified in audits or source inspection.

RD-F-018 green Signed/unsigned arithmetic confusion Morpho.sol uses uint256 throughout with explicit conversion functions (toUint128, UtilsLib.zeroFloorSub); no signed/unsigned arithmetic confusion identified in source inspection or audit findings.

RD-F-019 green ecrecover zero-address return unchecked setAuthorizationWithSig() in Morpho.sol explicitly checks require(signatory != address(0) && authorization.authorizer == signatory) — proper address(0) guard on ecrecover return.

RD-F-020 green EIP-712 domain separator missing chainId Morpho.sol constructor computes DOMAIN_SEPARATOR = keccak256(abi.encode(DOMAIN_TYPEHASH, block.chainid, address(this))) — chainId correctly included, preventing cross-chain replay.

RD-F-022 green Public initialize() without initializer modifier Morpho Blue has no initialize() function — uses traditional constructor with newOwner parameter; MetaMorpho deployed via constructor with salt (not proxy initializer); no unprotected initialize() on any core contract.

RD-F-024 green Code complexity vs audit coverage Morpho Blue core is ~600 LOC (per Certora blog); three independent pre-launch audits (OZ, Spearbit, Cantina competition) plus Certora formal verification provide excellent coverage relative to this minimal codebase.

RD-F-183 green Bug bounty scope gap on highest-TVL contracts Immunefi program explicitly covers Morpho Blue smart contracts at $2.5M max (highest tier); MetaMorpho/periphery at $1.5M; highest-TVL contracts are clearly in scope, not excluded.

Governance & admin Green 19 24 of 24

RD-F-047 red Governance token concentration (Gini) MORPHO token allocation: Morpho governance 35.4% + strategic partners 27.5% + founders 15.2% = top-3 entities control ~78% of total supply. Gini coefficient likely >0.85. Concentration is high. RD-F-031 yellow Signer rotation recency MIP-91 proposed replacing 2 signers (lateral replacement, no threshold reduction). No DPRK-precursor pattern (threshold reduction + timelock removal within 14 days). Recent rotation within 90 days. RD-F-032 yellow Timelock duration on upgrades Zodiac Delay Modifier (0x68d11129a514c45716e55b9771813f117c4c2fa5) enforces 24-hour delay. Green threshold is >=48h; yellow is 24-47h. 24h = yellow. RD-F-033 yellow Timelock on sensitive actions Morpho Blue admin functions (setFee, setFeeRecipient, enableIrm, enableLltv, setOwner) route through 24h Zodiac Delay Modifier. No pause/rescue functions exist. Oracle is market-level (not DAO-controlled). 3-of-5 actions timelocked; no upgrade path needed (immutable core). RD-F-034 yellow Guardian/pause-keeper distinct from upgrader Morpho Blue has no pause function (immutable). MORPHO token: DAO multisig holds both upgrade and treasury roles — no distinct guardian. MetaMorpho vaults: Guardian role distinct from Owner at vault level (positive). DAO-level guardian separation absent. RD-F-035 yellow Role separation: upgrade ≠ fee ≠ oracle Morpho Blue: upgrade role N/A (immutable). Fee and IRM/LLTV config both held by same DAO multisig — not separated. MORPHO token: upgrade + fee recipient + treasury all controlled by same DAO multisig. Rewards multisig separate for distribution. Partial separation exists. RD-F-036 yellow Flash-loanable voting weight Snapshot-only governance records voting power at past block number — structurally prevents flash-loan attack. MORPHO token is flash-loanable on secondary markets but a flash loan post-snapshot carries no voting weight. MIP-75 wrapper adds ERC20Votes checkpointing for on-chain governance. Snapshot strategy for morpho.eth not directly verified via API. RD-F-038 yellow Proposal execution delay < 24h Snapshot vote → 5-of-9 multisig queues via Zodiac Delay Modifier → 24-hour timelock → execution. Minimum delay is 24 hours (the Delay Modifier). Meets yellow threshold (24-47h). RD-F-040 yellow Emergency-veto multisig present No formally documented emergency-veto multisig distinct from DAO multisig. Multisig signers can refuse to queue malicious proposals (passive veto), but no explicit on-chain veto mechanism exists. RD-F-042 yellow Admin has mint() with unlimited max MORPHO token is ERC1967 upgradeable proxy owned by DAO multisig. Max supply 1B enforced in current implementation. DAO could theoretically upgrade implementation to modify cap — requires Snapshot vote + 5-of-9 multisig + 24h Delay Modifier. RD-F-029 gray Multisig signers co-hosted Signer identities mostly undisclosed (only 2 of 9 named in MIP-91). Cannot verify co-hosting or infrastructure independence. 'Proof of distinct humanity' initiative proposed but not confirmed complete. RD-F-030 gray Hot-wallet signer flag Signer addresses mostly undisclosed (2 of 9 named). Cannot assess hot-wallet behavior for remaining signers. Forum post recommends hardware wallet requirements but enforcement not confirmed. RD-F-167 gray Deprecated contract paused but pause reversible by live admin Deprecated Morpho Optimizers (V0) are out of scope for this profile. coverage_flags.has_legacy_v1 = true but refers to a separate product. DAO admin-pause over deprecated Optimizer contracts not verifiable from available sources.

RD-F-025 green Admin key custody type Morpho Blue owner is 5-of-9 Gnosis Safe multisig + 24-hour Zodiac Delay Modifier. Classification: multisig+timelock. MORPHO token also owned by DAO multisig.

RD-F-026 green Upgrade multisig signer configuration (M/N) Multiple distinct admin domains: DAO multisig (5-of-9), Rewards multisig (3-of-5), Zodiac Delay Modifier module. Per-vault curators separate from DAO. Role distribution confirmed.

RD-F-027 green Single admin EOA Morpho Blue owner() = 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa, Gnosis Safe Singleton 1.3.0 proxy, 5-of-9 threshold. Not an EOA.

RD-F-028 green Low-threshold multisig vs TVL Primary DAO multisig is 5-of-9 at $6.6B TVL — exceeds peer norm. Rewards multisig is 3-of-5 but controls only token rewards, not user collateral. Base DAO multisig threshold not confirmed.

RD-F-037 green Quorum achievable via single-entity flash loan No on-chain governor contract (data cache: governor_address null). Snapshot-only governance with block-snapshot mechanism makes flash-loan quorum attack structurally infeasible.

RD-F-039 green delegatecall/call in proposal execution without allowlist No on-chain Governor/executor contract. Governance is Snapshot + 5-of-9 multisig execution. No proposal-payload delegatecall to arbitrary targets. Zodiac Delay Modifier queues pre-approved specific calldata.

RD-F-041 green Rescue/emergencyWithdraw without timelock Morpho Blue core has no rescue/emergencyWithdraw/sweep functions — confirmed from Morpho.sol source. MetaMorpho skim() is gated by curator role with pre-set skimRecipient; no direct-drain-to-arbitrary-address path.

RD-F-043 green Admin = deployer EOA after 7 days Current Morpho Blue owner is DAO multisig 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa, not deployer EOA 0x937ce2d6c488b361825d2db5e8a70e26d48afed5. Protocol has been live 16+ months with DAO multisig control.

RD-F-044 green Admin wallet interacts with flagged addresses DAO multisig 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa labeled 'Morpho: Morpho DAO' on Etherscan — no mixer or flagged-address label. No adverse interactions identified.

RD-F-045 green Constructor args match governance proposal MIP59 governance proposal confirms DAO multisig ownership on Base — constructor args consistent with announced deployment. No constructor arg deviations identified.

RD-F-046 green Contract unverified on Etherscan/Sourcify Morpho Blue, MetaMorpho Factory v1.0 and v1.1, Adaptive Curve IRM, and MORPHO Token are all verified on Etherscan with full Solidity source. All core contracts with user TVL are verified.

Oracle & external dependencies Yellow 36 17 of 17

RD-F-051 red Fallback behavior on oracle failure No fallback on oracle failure. IOracle(marketParams.oracle).price() is called with no try/catch, no secondary oracle, no last-known-price. If oracle reverts, liquidations and health checks revert for that market. Isolated-market design limits blast radius but does not mitigate the per-market freeze. RD-F-057 red Circuit breaker on price deviation No circuit breaker present. Morpho Blue core and ChainlinkOracleV2 have no price-deviation guard. PAXG/USDC exploit ($230K, Oct 2024) demonstrated: $2.6T oracle mispricing was accepted unconditionally — no circuit breaker triggered. Confirmed by source inspection and realized exploit. RD-F-180 red Immutable oracle address [★ CRITICAL — T-14 promoted 2026-04-22] Oracle address immutable at market creation. MarketParams.oracle field is part of the market ID hash — changing it creates a new market. No setOracle function on core (0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb). ChainlinkOracleV2 feeds are Solidity immutable variables with no admin setter. PAXG/USDC exploit ($230K, Oct 2024) realized consequence. Note: docs.morpho.org page renamed from 'Morpho Market V1' to 'Variable Rate Market (Morpho Blue)' between April-May 2026 — structural immutable-oracle claim unchanged in new framing. RD-F-049 yellow Oracle role per asset Single-oracle design per market. No secondary or fallback oracle. ChainlinkOracleV2 composes up to 4 Chainlink feeds into a single price() output but provides no fallback oracle address. Primary only, per market. RD-F-052 yellow Breakage analysis per dependency Breakage analysis: (1) Oracle failure → liquidations freeze per market (isolated blast radius); (2) IRM failure → interest accrual freezes per market; (3) Chainlink stale price → accepted without revert; (4) MetaMorpho fully dependent on Morpho Blue core. Stale-price risk is real but not documented as protocol-level risk mitigation. RD-F-059 yellow Oracle staleness check present No on-chain staleness check in ChainlinkDataFeedLib. Library comment explicitly states: 'Staleness is not checked because it is assumed that the Chainlink feed keeps its promises on this.' Only answer field from latestRoundData() is used; updatedAt is not validated. Partial mitigation: Chainlink feeds have heartbeat SLAs (ETH/USD 3600s, BTC/USD 3600s). RD-F-060 yellow Chainlink aggregator min/max bound misconfig ChainlinkOracleV2 does not check minAnswer/maxAnswer bounds — delegates to Chainlink aggregator internal circuit breakers. Cannot fully assess per-feed bounds without per-feed on-chain reads. High-priority feeds (ETH/USD, BTC/USD) generally have reasonable bounds; exotic/custom feeds in permissionless markets may not. RD-F-181 yellow Permissionless-pool lending oracle Structural risk present but mitigated by curator layer. Morpho Blue permissionless market creation accepts any oracle address — including one reading spot price from a permissionlessly-created DEX pool with no liquidity floor or token age minimum. Reference ChainlinkOracleV2 does not use permissionless DEX pools. High-TVL curator-governed vaults avoid adversarial markets. RD-F-054 n/a TWAP window duration Protocol reference implementation uses Chainlink push-oracle feeds, not DEX TWAP. No UniswapV3 observe()/consult() calls identified in MorphoChainlinkOracleV2. N/A for TWAP window measurement. RD-F-055 n/a Oracle pool depth (USD) Protocol reference implementation uses Chainlink aggregators, not DEX liquidity pools as oracle source. Pool depth measurement N/A. RD-F-056 n/a Single-pool oracle (no medianization) Not applicable — reference implementation uses Chainlink aggregators (internally multi-node). No single DEX pool venue. Single-pool DEX oracle medianization question does not apply. RD-F-058 n/a Max-deviation threshold (bps) N/A — no circuit breaker exists (see RD-F-057 = red). Max deviation threshold is not applicable when no circuit breaker is present.

RD-F-048 green Oracle providers used Morpho Blue is oracle-agnostic. Reference implementation: ChainlinkOracleV2 factory (0x3A7bB36Ee3f3eE32A60e9f2b33c1e5f2E83ad766, ETH) uses Chainlink push-oracle feeds. Data cache lists 19 Chainlink feeds across major assets. Pyth Morpho Wrapper also supported. High-TVL markets use Chainlink multi-hop composition.

RD-F-050 green Dependency graph (protocols depended upon) Morpho Blue core has minimal external dependencies by design. Core depends on: per-market oracle (Chainlink feeds), Adaptive Curve IRM (0x870aC11D48B15DB9a138Cf899d20F13F79Ba00BC). MetaMorpho vaults depend on Morpho Blue core. Bundler depends on Aave/Compound migration adapters (periphery only). Core is a singleton with two external call surfaces.

RD-F-053 green Oracle source = spot DEX pool (no TWAP) [★ CRITICAL] Reference ChainlinkOracleV2 uses Chainlink push-oracle feeds (latestRoundData), not spot DEX pools. High-TVL markets (wstETH/USDC, WBTC/USDC) use Chainlink multi-hop. PAXG/USDC exploit was decimal misconfiguration of Chainlink adapter, not spot DEX. No verified spot DEX oracle in reference implementation or high-TVL markets.

RD-F-061 green LP token balanceOf used for pricing No balanceOf-based LP token pricing in reference ChainlinkOracleV2. ERC4626 vault component uses getAssets() (legitimate conversion), not balanceOf for pricing. Donation attack via balanceOf not applicable to this implementation.

RD-F-062 green External keeper/relayer not redundant Morpho Blue does not require keepers for core operations. Liquidations are permissionless — any address can call. MetaMorpho reallocation initiated by curators (not automated keepers). No single keeper/relayer dependency identified.

Economic risk Yellow 30 13 of 13

RD-F-064 yellow TVL concentration (top-10 wallet share) Two-chain concentration: Ethereum ~50%, Base ~42% of ~$6.6B total TVL. Per-wallet depositor concentration not measured (on-chain subgraph not enumerated). Vault-level concentration: Steakhouse, Re7, Gauntlet, MEV Capital curators drive significant TVL — institutional concentration at the vault aggregation layer. RD-F-065 yellow Liquidity depth per major asset 2%/5% slippage depth not measured numerically for individual markets. Flagship collateral (wstETH, WETH, WBTC) has deep DEX liquidity. Long-tail permissionless markets have unknown liquidation liquidity depth. LIF ~5% (86% LLTV markets) may be insufficient for fast-moving cascades in thin markets. PAXG/USDC exploit Oct 2024 demonstrated real market-level liquidation failure. RD-F-066 yellow Utilization rate (lending protocols) Aggregate utilization estimated ~35% ($4.5B active loans vs $13B deposits per Q3 2025 data). Adaptive Curve IRM targets 90% per-market utilization. Per-market breakdown not obtained from on-chain reads. Aggregate appears below 80% yellow threshold but individual markets may differ. RD-F-067 yellow Historical bad-debt events One documented bad-debt event: PAXG/USDC market oracle misconfiguration, Oct 2024, ~$230k USDC loss borne by market lenders. Market isolation prevented protocol-wide socialization. No other documented bad-debt events at protocol level. Rekt DB shows 0 incidents per data cache. RD-F-068 yellow Collateralization under stress No formal stress simulation performed. Dominant flagship markets (86% LLTV wstETH/WETH/USDC) start liquidation at 86% LTV — a 20%+ price drop puts positions in liquidation zone. LIF ~5% may be thin for fast cascades. Market isolation limits contagion. Gauntlet performs simulation-based modeling for MetaMorpho vaults. No evidence of below-100% net collateralization at protocol level. RD-F-071 yellow Seed-deposit requirement for new market listing No protocol-enforced seed deposit for new Morpho Blue market creation. Any address can create a market with any whitelisted LLTV and any oracle without a minimum seed deposit. Dead deposit (1e9 shares to 0xdead) is recommended guidance for curators, not code-enforced. RD-F-072 yellow Market-listing governance threshold Market creation is fully permissionless — any address can create a market using any governance-whitelisted LLTV and any oracle. No DAO vote required for individual market creation. The DAO only controls the LLTV whitelist and IRM whitelist. Classification: permissionless (yellow per template). RD-F-073 yellow Oracle-manipulation-proof borrow cap No protocol-level borrow caps per asset. Supply and borrow are limited by market liquidity and the Adaptive Curve IRM dynamics only. Oracle manipulation risk is per-market and was demonstrated in PAXG/USDC Oct 2024. Chainlink-based oracles available but not mandatory — any oracle can be used. RD-F-074 yellow ERC-4626 virtual-share offset (OZ ≥4.9) MetaMorpho vaults are ERC-4626 but do NOT use OZ >=4.9 virtual-share offset. They rely instead on a recommended dead deposit (1e9 shares to 0xdead). Dead deposit is curator responsibility, not protocol code enforcement. Docs explicitly warn MetaMorpho V1 vaults are vulnerable to inflation front-running if dead deposit not made. RD-F-075 yellow First-depositor / share-inflation guard Two-layer: (1) Core Morpho Blue markets: VIRTUAL_SHARES=1e6 and VIRTUAL_ASSETS=1 in SharesMathLib provide structural protection — first depositor cannot inflate shares via donation. Effective protection. (2) MetaMorpho ERC-4626 vaults: rely on curator dead deposit (1e9 shares to 0xdead); not protocol-enforced. Docs warn of vulnerability if dead deposit omitted. Yellow for composite protocol (vault layer is exposed without curator action). RD-F-069 n/a Algorithmic / under-collateralized stablecoin Morpho Blue is an over-collateralized lending protocol. It issues no algorithmic or under-collateralized stablecoin. Loan assets are established external tokens (USDC, USDT, DAI, WETH). Not applicable. RD-F-070 gray Empty cToken-style market (zero supply/borrow) Not a Compound V2 fork — taxonomy RD-F-070 is 'Compound-fork-only (N/A for non-Compound-fork protocols).' Morpho Blue uses original share-based accounting with VIRTUAL_SHARES=1e6 and VIRTUAL_ASSETS=1 in SharesMathLib — structural protection against first-depositor inflation. No cToken architecture. No critical flag fires.

RD-F-063 green TVL (current + 30d trend) TVL ~$6.6B as of 2026-04-27. Pre-KelpDAO-exploit peak ~$7.48B (early Apr 2026). 3x YoY growth. Ethereum ~$3.3B, Base ~$2.76B. Well above $100M threshold with strong growth trend.

Operational history Green 13 15 of 15

RD-F-077 yellow Prior exploit count 2 incidents on record: Oct 2024 oracle misconfiguration ($230k market-level loss) and Apr 2025 frontend SDK misconfiguration ($0 net loss, white hat returned funds). Neither was a core smart contract exploit. RD-F-080 yellow Days since last exploit Last incident: 2025-04-10 (Apr 2025 frontend/SDK). Days since: ~382 days as of 2026-04-27. Within trailing 12 months. Yellow for recency. RD-F-081 yellow Post-exploit response score Apr 2025 (most recent): response score ~4/5 — fast rollback (4 min), public post-mortem same day, named SDK packages, root cause stated. Gaps: no commit SHA linked, no formal audit diff published. Oct 2024: ~3/5 — governance retrospective published but recovery disputed, no official Morpho timestamp on first response, no code fix (immutable contracts). RD-F-084 yellow TVL stability (CoV over 90d) TVL broadly on upward trajectory (Ethereum ~$1.5B to ~$3.3B over 90-day window). Notable ~9.6% TVL drop following KelpDAO exploit 2026-04-20 (broader DeFi event, not Morpho-specific). CoV not directly computed; yellow given the positive trend but market-wide 9.6% one-event drop. RD-F-089 yellow Insurance coverage active Nexus Mutual offers user-electable Protocol Cover on specific Morpho Blue markets (wstETH/USDC, weETH/WETH, Base DeFi Pass bundle). This is user-elected coverage, not a protocol-sponsored blanket insurance program. No Sherlock or equivalent protocol-level coverage found. RD-F-166 yellow Deprecated contracts still holding value Morpho Optimizers (AaveV2, CompoundV2, AaveV3-ETH variants) officially deprecated Sept–Dec 2025. Front-end removed. Contracts are immutable — cannot be forcibly drained. Residual user TVL expected to persist as of 2026-04-27. Exact on-chain balance unconfirmed (API access failed). Deprecation was properly announced with 60-day notice and migration tooling.

RD-F-076 green Protocol age (days) Morpho Blue Ethereum mainnet deploy: 2023-12-28. Age ~485 days (~16 months) as of 2026-04-27. Exceeds 12-month A-grade floor threshold.

RD-F-078 green Chronic-exploit flag (≥3 incidents) 2 incidents total — below the ≥3 chronic threshold. No chronic flag triggered.

RD-F-079 green Same-root-cause repeat exploit Two incidents have distinct root-cause classes: (1) oracle decimal scaling misconfiguration at market-creation layer; (2) SDK approval routing to wrong contract address in frontend. No same-root-cause repeat.

RD-F-082 green Post-mortem published within 30 days Apr 2025: official blog published same day (within hours). Oct 2024: governance forum retrospective published within incident window. Both incidents have public write-ups within 30 days.

RD-F-083 green Auditor re-engaged after last exploit Spearbit engaged for Oct 2024 security review (report exists in portfolio). OpenZeppelin and Spearbit both reviewed MetaMorpho V1.1 in Nov 2024. Apr 2025 blog commits to external SDK audits. Reputable auditor re-engagement confirmed.

RD-F-085 green Incident response time (minutes) Apr 2025 (most recent incident): 4 minutes from alert to frontend rollback. Exceptionally fast operational response for a frontend-class incident.

RD-F-086 green Pause activations (trailing 12 months) Morpho Blue core contract is deliberately immutable with no pause function by design. No deliberate on-chain pause activations in trailing 12 months. Apr 2025 response was a frontend rollback (off-chain), not an on-chain pause.

RD-F-087 green Pause > 7 consecutive days No on-chain pause capability in Morpho Blue (immutable by design). No pause of >7 consecutive days possible or observed.

RD-F-088 green Re-deployed to new addresses in last year Morpho Blue core contract has not been redeployed. MetaMorpho Factory V1.1 is additive (new factory coexisting with V1.0), not a replacement redeploy. No protocol-wide address migration in last 12 months.

Real-time signals Green 17 22 of 22

RD-F-091 yellow Partial-drain test transactions Oct 2024 PAXG exploit was a single-tx drain ($350→$230K), no multi-step test-tx pattern. May 2025 Aerodrome cUSDO oracle manipulation: no documented pre-strike partial-drain sequence. No current confirmed partial-drain precursor in major markets. RD-F-093 yellow Abnormal gas-price willingness from attacker wallet No documented high-priority-fee transactions targeting Morpho Blue markets in 2025-2026. Oct 2024 oracle exploit did not require MEV racing. Cannot confirm absence without live mempool monitoring. RD-F-094 yellow New contract with similar bytecode to exploit template No publicly flagged bytecode-similar exploit-template deployments targeting Morpho Blue markets as of 2026-04-27. However, permissionless market creation allows deployment of malicious oracle contracts, which is an architecturally distinct but related threat. RD-F-096 yellow New ERC-20 approval to unverified contract from whale April 2025 incident: Bundler3 received approvals instead of adapter due to frontend misconfiguration; $2.6M at risk; intercepted by c0ffeebabe.eth; $0 net loss. Approval-misdirection pattern is structurally applicable to Morpho's Bundler architecture. RD-F-097 yellow Sybil surge of identical-pattern transactions Morpho Blue isolated-market design is not vulnerable to traditional sybil-front-running. However, permissionless market creation creates exposure to fake-pool-seeding attacks (Rhea Finance analog — RD-F-181 class). May 2025 AMM LP oracle manipulation involves venue-level manipulation, not sybil. RD-F-099 yellow Oracle price deviation >X% from secondary Two market-level oracle manipulation incidents confirmed: Oct 2024 (PAXG SCALE_FACTOR, $230K) and May 2025 (Aerodrome AMM LP oracle, $49K covered internally). Both on permissionless markets with spot-price oracles. No current major-market (ETH/USD, BTC/USD, USDC/USD Chainlink) oracle deviation detected. RD-F-100 yellow Flash loan >$10M targeting protocol tokens Morpho Blue's native flash-loan exposes all singleton liquidity simultaneously. Structurally applicable. May 2025 Aerodrome oracle manipulation appears flash-loan-enabled at venue level. No documented flash-loan attack on major Morpho markets (ETH/BTC/USDC) in 2025-2026. RD-F-105 yellow DNS/CDN/frontend hash drift April 2025 frontend incident: code update caused approval misdirection (not DNS drift but bundle-hash drift). Resolved by rollback. Typosquat morpho-app.org (Dec 2025, Angel Drainer kit) DNS-suspended. No current DNS drift on morpho.org detected from public scan. RD-F-109 yellow Social-media impersonation scam spike Typosquat domain morpho-app.org (Angel Drainer kit, registered Dec 5, 2025) confirms active scam infrastructure around Morpho brand. DNS suspended as of scan date. No confirmed coordinated Discord/Telegram scam-coordinator spike in public reports. RD-F-090 gray Mixer withdrawal → protocol interaction Permissionless protocol; any wallet (including mixer-funded) can interact. No confirmed mixer-funded large deposits in public sources. Requires Chainalysis/TRM 3-hop 30-day analysis for full signal. RD-F-103 n/a Bridge signer-set change proposed/executed Morpho Blue uses no cross-chain bridge in its core lending operations. Each chain deployment is an independent singleton with no shared bridge state. LayerZero not present. RD-F-106 n/a Cross-chain bridge unverified mint pattern Morpho Blue uses no cross-chain bridge. Each chain deployment is independent. No cross-chain message-passing architecture in core protocol. RD-F-107 gray Admin EOA signing from new geography/device May 2025 forum post proposed hardware wallet requirements for multisig signers (no code change). Off-chain signing telemetry not accessible from public sources. Cannot assess geography/device anomalies.

RD-F-092 green Unusual mempool pattern from deployer wallet Deployer 0x937ce2d6 labeled 'Morpho: Deployer 2' on Etherscan; funded by internal Safe smart account March 2023. Activity consistent with legitimate contract deployments. No anomalous mempool patterns in public tx history.

RD-F-095 green Known-exploit function-selector replay Two prior exploits involved distinct oracle misconfigurations (PAXG SCALE_FACTOR decimal error Oct 2024; Aerodrome AMM LP oracle May 2025) — not the same selector-pattern replay. Core immutable contract not vulnerable to replay at protocol level.

RD-F-098 green TVL anomaly — % drop in <1h KelpDAO April 2026 contagion caused ~9.62% Morpho TVL drop (from ~$11.7B to ~$10.2B) — below 30% threshold. Sector-correlated suppression applies. No single-protocol TVL drain event detected. RD-F-098 would NOT fire today.

RD-F-101 green Large governance proposal queued Latest MIPs (MIP 129 contributor grants, MIP 131 Association grant 2026-2030) are routine. MIP 91 (Jan 2025) signer rotation — threshold unchanged at 5/9. No malicious-pattern selectors (no upgrade/delegatecall/transferOwnership) in recent proposals. No unusual governance activity detected.

RD-F-102 green Admin/upgrade transaction in mempool Morpho Blue singleton (0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb) is IMMUTABLE — no upgrade selector exists. DAO multisig can only call fee-setting and whitelist functions. No admin/upgrade mempool transactions possible on core contract.

RD-F-104 green Stablecoin depeg >2% on shared-LP venue USDC and USDT at peg as of 2026-04-27. No >2% depeg on ≥2 venues. Protocol has very high stablecoin exposure — USDC dominates loan assets across MetaMorpho vaults. Signal would fire rapidly if USDC depegged given dominance.

RD-F-108 green GitHub force-push to sensitive branch morpho-org GitHub organization active (last commit 2026-04-21 per data cache). No security alerts or force-push events on morpho-blue main branch. Development activity is normal (feat/durations, dispatch logic, linting).

RD-F-110 green Unusual pending/executed proposal ratio MIP numbering at MIP 131+ as of April 2026. Proposal cadence is normal for a mature protocol. Recent proposals are grants, framework, signer rotation. No unusual pending-to-executed ratio observed.

RD-F-182 green Security-Council threshold reduction (RT) MIP 91 (Jan 2025): signer replacement only; threshold UNCHANGED at 5/9. Zodiac Delay Modifier (24h) remains in place. No threshold reduction + timelock removal within 14-day window detected in 2025-2026 governance history. RD-F-182 would NOT fire today.

Dev identity & insider risk Green 4 16 of 16

RD-F-117 yellow ENS/NameStone identity bound to deployer No ENS or NameStone name bound to deployer address 0x937ce2d6...afed5. Deployer has Etherscan protocol label 'Morpho: Deployer 2' which provides equivalent identification clarity for institutional deployers, but the factor specifically asks for ENS/NameStone. RD-F-123 yellow Sudden admin-rescue/ACL change without discussion Morpho Blue core contract is immutable (non-upgradeable), eliminating logic-ACL risk. Base chain ownership transfer followed full MIP59 governance process (forum 2024-05-14, Snapshot 2024-05-17, on-chain 2024-05-22). Ethereum mainnet owner-setting process at deploy not located in a specific forum MIP, but no evidence of surprise/unannounced change.

RD-F-111 green Team doxx status All four co-founders (Paul Frambot, Merlin Egalite, Mathis Gontier Delaunay, Julien Thomas) are fully doxxed with real names, LinkedIn profiles, verified academic credentials from French grandes ecoles, and public conference attendance.

RD-F-112 green Team public accountability surface Each of the four founders has verifiable LinkedIn employment history, GitHub contribution history to morpho-org repos, academic credentials from French grandes ecoles, and multi-year public media and conference presence. MathisGD is the most frequent morpho-blue committer; MerlinEgalite is listed as core contributor.

RD-F-113 green Team other-protocol involvement history No prior rug-pull or exit-scam affiliations for any named co-founder. Paul Frambot co-founded Morpho Labs + Morpho Association; no adverse prior protocol involvement. Institutional VC background checks implied by a16z, Coinbase Ventures, Ribbit Capital investment.

RD-F-114 green Deployer address prior on-chain history Deployer 0x937ce2d6c488b361825d2db5e8a70e26d48afed5 is labeled 'Morpho: Deployer 2' on Etherscan — a protocol-attributed deployer with 363 transactions of protocol operations. No prior rug or exit-scam deployments found in Rekt or OSINT.

RD-F-115 green Prior rug/exit-scam affiliation No prior rug-pull or exit-scam affiliations for any named team member. Rekt DB shows zero incidents for the deployer address. Institutional investor due diligence (a16z, Coinbase Ventures) confirms no adverse history surfaced.

RD-F-116 green Contributor tenure at admin-permissioned PR Core contributors are founding team members (MathisGD = Mathis Gontier Delaunay, MerlinEgalite = Merlin Egalite) with 3+ years tenure at Morpho. Most recent admin-permissioned code changes are maintenance commits from long-tenured contributors.

RD-F-118 green Handle reuse across failed/rugged projects No social handle (Twitter, Discord, GitHub) associated with any named founder has been linked to a prior rugged or failed project. All founder handles are consistently and exclusively Morpho-associated across their public history.

RD-F-119 green Commit timezone consistent with stated geography Morpho is Paris-headquartered (70 employees, France). Named co-founders confirmed France-based via LinkedIn. Commit history from morpho-blue repo shows European work-day hour distribution with no anomalous East-Asia/DPRK timezone burst patterns in visible commit metadata.

RD-F-120 green Video-off/voice-consistency flag Paul Frambot has appeared in multiple public video interviews and conference panels (Paris Blockchain Week 2024, Blockworks, Cryptonews). No video-off or voice inconsistency pattern reported. Team members attend in-person conferences.

RD-F-121 green Contributor OSINT depth score All four co-founders score 5/5 on OSINT depth: full LinkedIn employment history, GitHub contribution trail, academic archive paper (HAL), institutional investor attestation (a16z/Coinbase Ventures/Ribbit), media presence (The Block, Blockworks, CoinDesk), and conference speaking.

RD-F-122 green Contributor paid to DPRK-cluster wallet No evidence of any protocol contributor payment wallet routing to a DPRK-labeled cluster within 3 hops. All disclosed multisig signer addresses map to named DeFi participants with no OFAC designation. Active OFAC SDN search and web search for Morpho + DPRK + Lazarus returns no results.

RD-F-124 green Deployer wallet mixer-funded within 30 days Deployer 0x937ce2d6...afed5 was first funded 2023-03-07 (~9 months before the 2023-12-28 Morpho Blue deploy) by a Morpho internal Safe multisig. No Tornado Cash, Railgun, or other mixer interactions observed in deployer transaction history. 30-day pre-deploy window contains no mixer activity.

RD-F-125 green Deployer linked within 3 hops to DPRK/Lazarus No OFAC SDN designation, Chainalysis published Lazarus cluster attribution, or US Treasury press release links any Morpho wallet (deployer, DAO multisig, contributors) to the DPRK/Lazarus cluster. Fully doxxed French founding team with institutional VC backing is inconsistent with nation-state implant profile.

RD-F-184 green Real-capital social-engineering persona No curator flag or OSINT evidence of any 'contributor' or 'external integrator' persona with >=1M USD attributed deposits used to build credibility ahead of a social-engineering attack. Neither of the two Morpho incidents (Oct 2024 oracle misconfiguration, Apr 2025 frontend SDK) involves a social-engineering persona.

Fork / dependency lineage Green 0 10 of 10

RD-F-126 n/a Is-a-fork-of Morpho Blue is an original implementation, not a fork; GitHub README confirms it as a new trustless primitive; 2133+ commits of original development; no upstream protocol relationship. RD-F-127 n/a Upstream patch not merged No upstream protocol exists for Morpho Blue; upstream patch inheritance is not applicable. RD-F-128 n/a Upstream vulnerability disclosure (last 90d) No upstream protocol exists; no inherited vulnerability disclosure applies. RD-F-129 n/a Code divergence from upstream (%) No upstream to diff against; code divergence metric is not applicable. RD-F-130 n/a Fork depth (generations from original audit) Morpho Blue is a depth-0 original protocol; fork depth metric is not applicable. RD-F-131 n/a Fork retains upstream audit coverage Not a fork; Morpho Blue has its own fresh independent audits covering the entire codebase. RD-F-132 n/a Fork has different economic parameters than upstream Not a fork; no upstream economic parameter comparison applies.

RD-F-133 green Dependency manifest uses unpinned versions foundry.lock pins all dependencies to exact commit SHAs (forge-std at 2f112697, halmos-cheatcodes at a02072cd); no package.json; no OpenZeppelin runtime dependencies; all security-critical deps pinned.

RD-F-134 green Dependency had malicious-release incident (last 90d) Only dependencies are forge-std and halmos-cheatcodes (dev/test only); no npm/PyPI/crates.io dependencies; no malicious-release advisory found for either in trailing 90 days.

RD-F-135 green Shared-library version with known-vuln status Morpho Blue has no runtime OZ/Solady/Solmate dependencies (oz_contracts_version: null in data cache); foundry.lock shows only test-dev libraries; no CVE/GHSA advisory applicable to production runtime.

Post-deploy hygiene & change mgmt Green 14 13 of 13

RD-F-136 yellow Deployed bytecode matches signed release tag Morpho Blue is immutable — bytecode fixed at deploy, expected to match tagged release commit. Release tags present in morpho-org/morpho-blue repo. GPG-signed tag not verified via direct toolchain run. RD-F-143 yellow Reinitializable implementation (no _disableInitializers) Morpho Blue: non-upgradeable singleton — factor N/A for core. MetaMorpho vaults deployed via factory with initializer pattern. MetaMorpho.sol has immutable state vars but _disableInitializers() call not confirmed in implementation constructor. Handoff to code-security-analyst for static analysis. RD-F-145 yellow Deployed bytecode reproducibility Foundry with optimizer_runs=999999, via_ir=true documented. Multiple auditors verified source — implying implicit reproducibility. No explicit public reproducibility verification script found. Build instructions present in GitHub. RD-F-146 yellow New contract deploys in last 30 days MetaMorpho vault deployments are frequent (curators deploy new vaults on demand). Exact count in trailing 30 days not enumerable from available data. GitHub last commit 2026-04-21 confirms active development. Vault-v2 launched Nov 2025. RD-F-168 yellow Stale-approval exposure on deprecated router April 2025 frontend incident involved user approvals sent to Bundler3 instead of correct adapter. Funds returned by white hat. Stale approvals to deprecated Bundler3 router may remain active. Morpho Optimizer legacy contracts may also have stale approvals. Exact count and value not quantified. RD-F-185 gray Bridge rate-limiter / chain-pause as positive mitigant Morpho Blue has no bridge component. data cache: layerzero.present=false, has_bridge_surface=false. This factor (bridge rate-limiter/chain-pause) is N/A for a pure lending protocol.

RD-F-137 green Upgrade frequency (per 90 days) Morpho Blue core: 0 upgrades (immutable). MORPHO token: 1 upgrade in Nov 2024 for transferability. MetaMorpho vaults: parameter changes via timelocked process, no high-churn. No excessive upgrade frequency.

RD-F-138 green Hot-patch deploys without timelock (last 30 days) Morpho Blue: immutable, no hot-patches possible. MORPHO token: no hot-patches in last 30 days. MetaMorpho vaults: parameter changes route through vault-level timelocks (min 1 day). No bypassed timelock upgrades identified.

RD-F-139 green Post-audit code changes without re-audit Morpho Blue immutable — no post-deploy changes possible. MetaMorpho v1.1 changes covered by OZ diff audit (2024-11-16) and Spearbit managed review (2024-11-23). All material post-audit code changes have corresponding re-audit coverage.

RD-F-140 green Fix-merged-but-not-deployed gap No evidence of known vulnerabilities with merged fixes not deployed. Morpho Blue is immutable. No open undeployed security fix PRs identified in public repos.

RD-F-141 green Test-mode parameters in deploy Morpho Blue deployed with production parameters. Admin is DAO multisig (not deployer EOA). No test-mode oracle, infinite allowance, or test-mode config detected.

RD-F-142 green Storage-layout collision risk across upgrades Morpho Blue immutable — no upgrade path, no storage collision risk. MORPHO token ERC1967 proxy: OZ diff audit (2024-11-16) would have covered MetaMorpho v1.1 storage layout changes. No storage-layout collision reported.

RD-F-144 green CREATE2 factory permits same-address redeploy MetaMorpho Factory deploys vaults via CREATE2 with deterministic addresses. No selfdestruct path in factory means same-address redeploy is not possible.

Cross-chain & bridge Gray 0 12 of 12

Threat intelligence & recon Yellow 20 8 of 8

RD-F-161 yellow Protocol-impersonator domain registered (typosquat) morpho-app.org registered December 5, 2025 (within 90-day lookback). Used Angel Drainer kit. DNS now suspended. Active impersonation infrastructure confirmed — threat actor class is live around Morpho brand. RD-F-163 yellow Avg attacker reconnaissance time for peer-class protocols Two prior Morpho exploits show short or zero reconnaissance periods: Oct 2024 attacker turned $350 into $230K in a single opportunistic transaction. May 2025 Aerodrome attack had no documented extended recon. Protocol class (large lending, $6.6B TVL) warrants 78-day recon watch but no confirmed long-recon pattern observed. RD-F-165 yellow Protocol social channel has scam-coordinator flag Typosquat morpho-app.org (Angel Drainer kit) confirms coordinated scam ecosystem around Morpho brand. No specific Discord/Telegram scam-coordinator flag on curator watchlist from public sources. Scam infrastructure exists — full social monitoring would be required for definitive assessment. RD-F-158 gray Known-threat-actor cluster has touched protocol No public attribution (Chainalysis, OFAC, Etherscan labels) links known Lazarus/DPRK wallet clusters to Morpho Blue interactions as of 2026-04-27. Oct 2024 and May 2025 exploit addresses have no confirmed DPRK attribution in public sources. RD-F-159 gray Attacker wallet pre-strike probe (low-gas failing txs) No documented low-gas failing tx probe patterns from known threat-actor wallets targeting Morpho Blue markets in 2025-2026 via public sources. Requires mempool access + cluster feed. RD-F-164 gray Leaked credential on paste/sentry site No public reports of Morpho Labs infrastructure credentials on paste/sentry sites in 2025-2026. SECURITY.MD absent from morpho-blue GitHub repo (data cache: security_md_present: false).

RD-F-160 green GitHub malicious-dependency incident touching protocol deps No public GitHub security advisory flagging malicious release in morpho-org dependencies in trailing 90 days. morpho-blue uses Foundry toolchain (not npm); package_json_present: false reduces npm supply-chain attack surface significantly.

RD-F-162 green Known-exploit-template selector deployed by any address Neither the Oct 2024 nor May 2025 Morpho exploit used a known-exploit-template selector pattern. Both were oracle misconfigurations (PAXG decimal error; Aerodrome AMM LP spot oracle). No confirmed exploit-template contract deployments targeting Morpho Blue in 2025-2026.

Tooling / compiler / AI Green 17 5 of 5

RD-F-170 yellow Solc version used (known-bug versions flagged) Morpho Blue compiled with Solidity v0.8.19; Etherscan shows 4 low-severity known compiler bugs (VerbatimInvalidDeduplication, FullInlinerNonExpressionSplitArgumentEvaluationOrder, MissingSideEffectsOnSelectorAccess, LostStorageArrayWriteOnSlotOverflow); no high/critical bugs; per template, any known-bug-list presence = at least yellow. RD-F-174 yellow Dependency tree uses EOL Solidity version Morpho Blue core uses Solidity 0.8.19 (7 minor versions behind current stable 0.8.28+); not EOL but dated; no high/critical bugs in 0.8.19 affecting Morpho Blue code patterns; MetaMorpho uses 0.8.21. RD-F-171 n/a Bytecode similarity to audited upstream with behavior deviation Morpho Blue is an original implementation with no audited upstream to compare against; AI-copy-risk bytecode similarity analysis does not apply.

RD-F-172 green Repo shows AI-tool co-authorship in critical files No AI-tool co-authorship metadata (Copilot, ChatGPT Code Interpreter) detected in Morpho Blue GitHub commits; web search returns no Morpho Blue AI-disclosure results; formal-verification focus (Certora, Halmos) inconsistent with AI-generated critical code.

RD-F-173 green Team self-disclosure of AI-generated Solidity No public disclosure of AI-generated Solidity in security-critical paths found; Morpho blog posts emphasize human-authored and Certora-formally-verified code; no AI tool disclosure in any tweet, blog, or docs.

Response & disclosure hygiene Green 8 4 of 4

RD-F-176 yellow Disclosure SLA public No publicly-stated acknowledgment SLA found in Immunefi program description, docs.morpho.org, or governance forum. Immunefi Approval Required (Category 3) sets publication norms but not a response-time SLA. Channel exists but no SLA stated.

RD-F-175 green Disclosure channel exists Immunefi program active with $2.5M max payout. White hat bounty paid to c0ffeebabe.eth in Apr 2025 demonstrates active monitoring and functional channel. Also referenced in Cantina listing and docs.morpho.org.

RD-F-177 green Prior known-ignored disclosure No evidence of a disclosed vulnerability that was reported and ignored before exploit. Oct 2024 was an error by market deployer; Apr 2025 was caught post-deployment and resolved in minutes. No pre-exploit ignored disclosure found.

RD-F-178 green CVE/GHSA advisory issued against protocol No CVE or GHSA advisory found for morpho-org/morpho-blue or morpho-org/metamorpho. NVD CVE database search returned no results for Morpho Blue. No public advisory outstanding.

rubric_version v1.7.0 graded_at 2026-05-12 04:38:07 factors 184 protocol morpho-v1