Overview

• On June 1, 2023, GothicShanon89238 reported an issue concerning the AaveV3-ETH Optimizer.

• The exploit was only possible with significant capital (more than ~$40m at the moment of the disclosure) and must be run over 2 blocks at least.

• The exploit could have drained some of the users’ funds by manipulating indexes of AaveV3.

• A successful exploit of this vulnerability could potentially yield a profit of 2,850,000 USD requiring an initial fund of 101,600,000 USD from the attacker.

• The issue has been fixed since then and reviewed by Stermi and cmichel from Spearbit, and Tolga from Runtime Verification.

• The Morpho Association is thankful to GothicShanon89238 and has paid out a bounty of 285,000 USD as a reward.

Proceedings

On June 1, 2023, GothicShanon89238 raised an issue through the Immunefi platform with a proof of concept of the bug. After validating the issue, the Operator paused the supply functions of the contracts a few hours after the disclosure.

Once paused, the Morpho Labs’ security team started investigating a fix and triggered the best auditors that audited the codebase namely Stermi and cmichel from Spearbit, and Tolga from Runtime Verification. The team created private repositories and exhaustively tested the fixes to ensure they work and have no side effects. Once the fixes were validated, The Morpho Association upgraded the different Morpho protocols by submitting the payload to the Delay Modifier. 24 hours later, the upgrade could be executed, and contracts were unpaused. As this was not voted on, the Morpho Association will propose to ratify the changes through governance. Since Sunday 4th, everything is running as usual.

Attack vector

The vulnerability exploits Morpho’s reliance on the underlying pool indexes. In the case of AaveV3, a donation to a specific aToken can be made through flashloans' fees. While a mechanism was introduced to overcome the manipulation of indexes in computing peer-to-peer indexes, the indexes were cached within a block. This is where the issue is lying.

The pool indexes could be inflated by an attacker using flashloans through the premium mechanism while not being reflected on Morpho. In a subsequent transaction, the attacker could leverage this inflated index to inflate the value of their deposit. Thus, allowing them to withdraw or borrow a substantial amount of tokens, stealing users’ funds, and reducing Morpho’s health factor. Below are the steps that should be followed to conduct such an attack.

1. Supply dust through Morpho for the collateral asset so that Morpho caches the index.

2. Conduct many flashloans on Aave to inflate the pool index (a maximum of 180 flashloans can be performed within a block).

3. Now the user can supply a huge amount through Morpho that is accounted for with the cached index. The amount must be larger than the total supply on the pool for this asset to make the attack profitable.

4. Wait for one block.

5. Now the collateral of the user on Morpho is mistakenly higher than what it should be, allowing them to withdraw/borrow more than what they should.

The security team conducted an assessment of the issue. At the moment of the disclosure, the listed market with the smallest total supply was the DAI market with over $37m dollars in deposits.

Mitigation

The fix was pretty simple and consisted in removing the logic related to caching the index and recomputing them at each user interaction.

Takeaways

The motivation behind caching the indexes was gas improvements. This sounds fair from a user perspective but not when it comes to the security of a protocol that is aiming at billions of dollars as deposited assets. Developers usually don’t spend time on small gas optimization and rather try to come up with better protocol designs. This incident reinforces our belief in this. The focus will be on simplifying the codebase for the next protocol iterations.

The team has responded quickly & professionally to the incident. Nonetheless, some areas can be improved, notably in communication with different groups simultaneously and team exhaustion. This was a good stress test, and there is confidence that this experience will help us better manage other incidents in the future, if any.

Closing thoughts

The Morpho team will continue to make the safety of users’ funds its top priority through extensive tests, audits, formal verifications, and bug bounties. An internal report has been created with different actionable to improve incident response plans and security overall.