★ Immutable oracle address

Evidence summary #

[★ CRITICAL — T-14 promoted 2026-04-22] Oracle address immutable at market creation. MarketParams.oracle field is part of the market ID hash — changing it creates a new market. No setOracle function on core (0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb). ChainlinkOracleV2 feeds are Solidity immutable variables with no admin setter. PAXG/USDC exploit ($230K, Oct 2024) realized consequence. Note: docs.morpho.org page renamed from 'Morpho Market V1' to 'Variable Rate Market (Morpho Blue)' between April-May 2026 — structural immutable-oracle claim unchanged in new framing.

Detail #

Morpho Blue docs: 'Once a market is deployed, its oracle address cannot be modified.' MarketParams struct hashed for market ID — oracle is a structural parameter. The MorphoChainlinkOracleV2 contract stores BASE_FEED_1, BASE_FEED_2, QUOTE_FEED_1, QUOTE_FEED_2 as immutable state variables. Factory deploys via CREATE2 with fixed parameters. No admin can change a deployed oracle without deploying a new market and migrating users. The PAXG/USDC incident required creating a new market to remediate. F180 definition: oracle source address not programmatically replaceable by admin action without full upgrade — MET at both the market-param level (Morpho Blue core design) and the oracle-contract level (immutable feed variables in ChainlinkOracleV2). Wave B.4 fix (2026-05-07): docs.morpho.org/learn/concepts/market/ redirected to 'Variable Rate Market (Morpho Blue)' content but the structural claim still holds; pinned Wayback snapshot preserves the original V1-named attestation, and the Etherscan + Morpho.sol + PAXG/USDC retrospective sources independently support the immutability.

Sources #

Methodology #

Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.

See the full factor methodology and distribution across all protocols →