Morpho (Aave V3) Security Audit

Download Audit Report
Summary

Morpho implements a peer-to-peer lending protocol that leverages the liquidity of existing lending protocols like Aave or Compound to allow instant withdrawals. Peer-to-peer matched users benefit from better rates than users of the underlying lending protocols.

The most critical subjects covered in our audit are access control, functional correctness and precision of arithmetic operations. Access control is extensive. Functional correctness of the main contracts is high. Functional correctness of the HeapOrdering data structure is not sufficient as the Heap data structure can be spammed. This issue can also lead to accidental violation of the Heap ordering, causing users additional gas fees. Precision of arithmetic operations is high.

The general subjects covered are documentation and gas efficiency. Documentation is extensive. Gas efficiency is improvable as shown in Gas inefficiencies.

In summary, we find that the codebase provides a high level of security.

It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project

About Morpho (Aave V3)

“Morpho is a lending pool optimizer. It is a peer-to-peer layer on top of lending pools like Compound or Aave. Rates are seamlessly improved for suppliers and borrowers while preserving the same liquidity and liquidation parameters.”

Source: Morpho team

ChainSecurity did a rigorous and thorough report of Morpho’s contracts in spite of its inherent complexity and uniqueness. We enjoyed such professionalism and attention to details. We are confident this audit will harness Morpho’s security level.
Merlin Egalité, Co-founder Morpho Labs