DeFiScan
@defiscan
@morpho's decentralization review
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
Protocol Introduction Morpho is a lending protocol which enables the deployment of minimal and isolated lending markets by specifying: - One collateral asset - One loan asset - A Liquidation Loan To Value (LLTV) ratio - An Interest Rate Model (IRM) - An oracle Users may lend funds directly on individual Morpho markets or through Morpho Vaults. These vaults are created permissionlessly by third parties, or risk curators, and offer managed lending strategies by aggregating different Morpho markets.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
⛓️Chain 🟢The report is concerned with the Morpho instance deployed on Ethereum mainnet. Ethereum achieves a Low chain centralization score.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
🚨Upgradability 🟡Medium Upgradability Centralization Score The Morpho (markets) protocol and Morpho Vaults are non-upgradeable. No permissions exist in the Morpho protocol that could affect users' funds and unclaimed yield or could otherwise result in non-expected protocol performance. Permissions in Morpho Vaults are owned by the vault creators themselves, aka Curators, and thus are not centralized under Morpho governance. A team multisig, morpho.eth, is able to activate a fee switch and enable new LTV tiers and interest rate models. These permissions can only affect newly created markets with fees enforced in a fixed range. The morpho.eth multisig is further in control of the $MORPHO token and it's upgradeability and minting features. $MORPHO upgrades or minting can directly impact distributed rewards in the system and thus result in the loss of unclaimed yield.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
⚠️Reviewer's Notes about Curators Curators of Morpho Vaults are in control of critical permissions which can result in the loss of user funds and unclaimed yield. These permissions only have a direct impact on users in the respective vault and thus do not contribute to the centralization of the Morpho protocol. Vault owners can name guardians with the capability to cancel bad behaviors of curators, when the actions they are taking is increasing the risk towards the end user.
0 reply
0 recast
0 reaction
DeFiScan
@defiscan
⛅Autonomy 🟡Medium Autonomy Centralization Score Morpho Markets are configured with an external price oracle which are neither controlled by Morpho nor deployed by Morpho. However, the Morpho protocol facilitates oracle creation through a factory, currently MorphoChainlinkOracleV2Factory, which is used by more than 35% of Morpho markets (read more: https://defiscan-git-morpho-defiscan.vercel.app/protocols/morpho#dependencies). This factory wraps price feeds compliant with Chainlink's Aggregator interface and assumes that these feeds never fail (liveness and valid prices). Although the price feed is chosen permissionlessly by the market creator, more than 35% of the Morpho markets rely on a Chainlink curated price feed.
0 reply
0 recast
0 reaction