On June 1, 2023, security researcher GothicShanon89238 reported a vulnerability affecting the AaveV3-ETH Optimizer. The exploit required significant initial capital, estimated at over 40 million dollars at the time of disclosure, and had to be executed over at least two blocks. This vulnerability could have been used to manipulate the AaveV3 pool indexes, potentially allowing an attacker to drain some user funds. If successfully exploited, the vulnerability could have generated approximately 2.85 million dollars in profit, requiring an initial investment of about 101.6 million dollars. The issue was promptly investigated and resolved, with the fix reviewed by auditors Stermi and cmichel from Spearbit and Tolga from Runtime Verification. In recognition of the responsible disclosure, the Morpho Association rewarded GothicShanon89238 with a bounty of 285,000 dollars.
After receiving the report through the Immunefi platform, the Morpho team verified the vulnerability and immediately paused the supply functions of the affected contracts to prevent any possible exploitation. The security team then worked with experienced auditors to identify and implement a fix. Private repositories were created to test and validate the patch thoroughly, ensuring that it addressed the problem without introducing new risks. Once confirmed, the Morpho Association deployed the fix by submitting the payload to the Delay Modifier, which was executed 24 hours later. The contracts were unpaused on June 4, 2023, and operations returned to normal. The Morpho Association also plans to submit a governance proposal to ratify the implemented changes officially.
The vulnerability stemmed from how Morpho relied on AaveV3’s underlying pool indexes. On AaveV3, donations to aToken pools can occur through flashloan fees, which can alter the pool index. Morpho had a mechanism to mitigate index manipulation; however, the indexes were cached within a single block, leaving a small time window in which an attacker could exploit the cached values. By inflating the pool index through repeated flashloans, the attacker could create a discrepancy between Aave’s real-time index and Morpho’s cached one. In the following transaction, the attacker’s collateral would appear artificially higher, enabling them to withdraw or borrow more than they legitimately should. Although the attack required extremely high capital and was not feasible for most actors, it posed a theoretical risk to user funds. At the time, the smallest listed market was the DAI market with over 37 million dollars in deposits, which limited the practicality of such an attack.
The implemented fix was simple but effective. The caching mechanism for indexes was removed entirely, and the system was modified to recompute indexes during every user interaction. This change ensures that the indexes always reflect up-to-date values from AaveV3 and eliminates the possibility of similar exploits in the future.
This incident provided valuable lessons for the development team. The index caching mechanism was originally designed as a gas optimization measure to improve efficiency for users. However, this event highlighted that gas optimization should never come at the cost of security, especially for protocols managing large-scale funds. The Morpho Labs team has since prioritized simplification and security over minor efficiency improvements. While the overall response was swift and effective, internal reviews identified areas for improvement, including better coordination between teams and reducing fatigue during emergency situations. The experience served as a valuable stress test and has strengthened the team’s preparedness for handling potential incidents in the future.
Morpho remains committed to maintaining the highest standards of security and transparency. The team continues to focus on the protection of user funds through rigorous testing, formal verification, multiple audits, and ongoing bug bounty programs. An internal report has been compiled with actionable measures to enhance incident response and overall protocol security. The Morpho Association also extends appreciation to the security community for its continued vigilance and collaboration in strengthening the ecosystem. This incident underscores Morpho’s dedication to constant improvement and its unwavering focus on safety, trust, and resilience within decentralized finance.
