Morpho implements a peer-to-peer lending protocol that leverages the liquidity of existing lending protocols like Aave or Compound to allow instant withdrawals. Peer-to-peer matched users benefit from better rates than users of the underlying lending protocols.
The most critical subjects covered in our audit are access control, functional correctness and precision of arithmetic operations. Access control is extensive. Functional correctness of the main contracts is high. Functional correctness of the HeapOrdering data structure is not sufficient as the Heap data structure can be spammed. This issue can also lead to accidental violation of the Heap ordering, causing users additional gas fees. Precision of arithmetic operations is high.
The general subjects covered are documentation and gas efficiency. Documentation is extensive. Gas efficiency is improvable as shown in Gas inefficiencies.
In summary, we find that the codebase provides a high level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project