Post-exploit response score

Morpho V1 (Morpho Blue + MetaMorpho)'s assessment for RD-F-081 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Apr 2025 (most recent): response score ~4/5 — fast rollback (4 min), public post-mortem same day, named SDK packages, root cause stated. Gaps: no commit SHA linked, no formal audit diff published. Oct 2024: ~3/5 — governance retrospective published but recovery disputed, no official Morpho timestamp on first response, no code fix (immutable contracts).

Detail #

Overall post-exploit response quality is above average for the 2025 incident but incomplete for the 2024 incident. Yellow is the appropriate aggregated score: response quality exists and is not negligent, but falls short of the full-transparency benchmark (commit SHA, remediation diff, confirmed recovery amount).

Sources #

Governance
https://forum.morpho.org/t/retrospective-paxg-usdc-market-oracle-configuration/891retrieved 2026-04-27
URL
https://morpho.org/blog/morpho-app-incident-april-10-2025/retrieved 2026-04-27

Methodology #

Curator-score (1–5) the most recent incident response on: compensation completeness, transparency of disclosure, root-cause analysis depth, and operational recovery speed.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol morpho-v1 factor RD-F-081 score yellow collected_at 2026-04-30 21:19:13