DeFiScan
@defiscan
@morpho's decentralization review
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
Protocol Introduction Morpho is a lending protocol which enables the deployment of minimal and isolated lending markets by specifying: - One collateral asset - One loan asset - A Liquidation Loan To Value (LLTV) ratio - An Interest Rate Model (IRM) - An oracle Users may lend funds directly on individual Morpho markets or through Morpho Vaults. These vaults are created permissionlessly by third parties, or risk curators, and offer managed lending strategies by aggregating different Morpho markets.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
⛓️Chain 🟢The report is concerned with the Morpho instance deployed on Ethereum mainnet. Ethereum achieves a Low chain centralization score.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
🚨Upgradability 🟡Medium Upgradability Centralization Score The Morpho (markets) protocol and Morpho Vaults are non-upgradeable. No permissions exist in the Morpho protocol that could affect users' funds and unclaimed yield or could otherwise result in non-expected protocol performance. Permissions in Morpho Vaults are owned by the vault creators themselves, aka Curators, and thus are not centralized under Morpho governance. A team multisig, morpho.eth, is able to activate a fee switch and enable new LTV tiers and interest rate models. These permissions can only affect newly created markets with fees enforced in a fixed range. The morpho.eth multisig is further in control of the $MORPHO token and it's upgradeability and minting features. $MORPHO upgrades or minting can directly impact distributed rewards in the system and thus result in the loss of unclaimed yield.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
⚠️Reviewer's Notes about Curators Curators of Morpho Vaults are in control of critical permissions which can result in the loss of user funds and unclaimed yield. These permissions only have a direct impact on users in the respective vault and thus do not contribute to the centralization of the Morpho protocol. Vault owners can name guardians with the capability to cancel bad behaviors of curators, when the actions they are taking is increasing the risk towards the end user.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
⛅Autonomy 🟡Medium Autonomy Centralization Score Morpho Markets are configured with an external price oracle which are neither controlled by Morpho nor deployed by Morpho. However, the Morpho protocol facilitates oracle creation through a factory, currently MorphoChainlinkOracleV2Factory, which is used by more than 35% of Morpho markets (read more: https://defiscan-git-morpho-defiscan.vercel.app/protocols/morpho#dependencies). This factory wraps price feeds compliant with Chainlink's Aggregator interface and assumes that these feeds never fail (liveness and valid prices). Although the price feed is chosen permissionlessly by the market creator, more than 35% of the Morpho markets rely on a Chainlink curated price feed.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
The Chainlink oracle system itself is upgradeable potentially resulting in the publishing of unintended or malicious prices. The permissions to upgrade are controlled by a multisig account with a 4-of-9 signers threshold. This multisig account is listed in the Chainlink docs but signers are not publicly announced. An unintended upgrade of the Chainlink price feed contracts could result in stale or inaccurate prices being reported. Since the Morpho oracle reverts on a negative price reported by a Chainlink feed, this failure could result in the permanent freezing of funds in affected markets. With a potential impact on more than 35% of Morpho markets, or more than 30% of Morpho's TVL, Chainlink is thus assessed as a Medium centralization risk for Morpho.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
🪟Exit Window 🟡Medium Exit Window Centralization Score The morpho.eth multisig account owns the permission to enable new Liquidation LTVs and Interest Rate Models to create new Morpho Markets with, but cannot change existing Morpho Markets thus not affecting user positions. However, critical permissions in the $MORPHO token allow the same multisig account to upgrade the token contract or mint more tokens. These permissions can result in the loss of unclaimed $MORPHO rewards and thus expose a Medium upgradeability risk. The permissions are not protected with onchain governance and an Exit Window, instead the morpho.eth multisig account can upgrade and mint on the $MORPHO token contract instantly.
0 reply
0 recast
0 reaction