Permissionless-pool lending oracle
Morpho V1 (Morpho Blue + MetaMorpho)'s assessment for RD-F-181 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
Structural risk present but mitigated by curator layer. Morpho Blue permissionless market creation accepts any oracle address — including one reading spot price from a permissionlessly-created DEX pool with no liquidity floor or token age minimum. Reference ChainlinkOracleV2 does not use permissionless DEX pools. High-TVL curator-governed vaults avoid adversarial markets.
Detail #
Morpho Blue docs: oracle is 'any address implementing IOracle.price()' — no protocol-level filter on oracle quality. A market creator can configure an oracle that reads spot price from a permissionlessly-created Uniswap v3 pool with 1 block of liquidity and no TWAP. This matches the F181 definition exactly. Partial mitigations: (1) reference ChainlinkOracleV2 does not use DEX spot prices; (2) MetaMorpho curators (Steakhouse, Re7, Gauntlet) do not allocate vault funds to unvetted markets; (3) PAXG/USDC exploit was a decimal error in a Chainlink-based oracle, not a DEX spot oracle. Template: yellow = partial filters present (curator layer mitigates for vault TVL; direct market exposure unmitigated).
Sources #
- GovernanceRetrospective: PAXG/USDC market oracle configurationPAXG/USDC retrospective — permissionless oracle selection enables exploitretrieved 2026-04-27
- Morpho Blue Oracles GitHubmorpho-blue-oracles — reference implementation does not use DEX spotretrieved 2026-04-27
Methodology #
Determine whether the lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools, without requiring a TWAP window, liquidity floor, or token-age minimum on the venue side.
See the full factor methodology and distribution across all protocols →