New ERC-20 approval to unverified contract from whale

Morpho V1 (Morpho Blue + MetaMorpho)'s assessment for RD-F-096 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

April 2025 incident: Bundler3 received approvals instead of adapter due to frontend misconfiguration; $2.6M at risk; intercepted by c0ffeebabe.eth; $0 net loss. Approval-misdirection pattern is structurally applicable to Morpho's Bundler architecture.

Detail #

The April 10, 2025 frontend update caused token approvals to be directed to Bundler3 instead of the adapter. White-hat c0ffeebabe.eth intercepted. This is a confirmed activation of the approval-misdirection signal class. Currently resolved but not structurally mitigated at code level — frontend-to-contract approval routing remains a live attack surface.

Sources #

URL
https://morpho.org/blog/morpho-app-incident-april-10-2025/retrieved 2026-04-27

Methodology #

Detect whether a top-TVL depositor grants a new token approval to an unverified contract that interacts with this protocol.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol morpho-v1 factor RD-F-096 score yellow collected_at 2026-04-30 21:19:13