Morpho
DAMASCUSLending / Borrowing · Ethereum + Base · $3B+ TVL · 10 contracts
Confidence 61%Z-Factor 0.68Updated 2026-05-17Public Score
Public risk assessment — scores are produced with the same methodology as monitored protocols
799
BRI Score
3004756508251000
Security Profile
Access Control
85
85
Economic Soundness
82
82
Oracle Integrity
80
80
Compositional Risk
72
72
Governance
68
68
Maturity
65
65
Resilience
54
54
Supply Chain
90
90
Op Security
59
59
Cascade Exposure
55
55
Access Ctrl
85
85
Economic
82
82
Oracle
80
80
Compos.
72
72
Govern.
68
68
Maturity
65
65
Resilience
54
54
Supply Ch.
90
90
OpSec
59
59
Cascade
55
55
Min
54
Avg
71
Max
90
Audit History
Spearbit
2023-12
Cantina Competition
2024-07
Trail of Bits
2024-01
Bug Bounty Program
$500,000
Max payout on Immunefi
Assessment
Exceptionally clean design with formally verified immutable core. Strongest supply chain score (D8=90) in this batch. Maturity (D6=65) and governance (D5=68) are main drags due to youth. Should improve significantly with time.
Dimension Breakdown
How scores work →Access Control
Weight 18%82% conf
85
arrow_forwardStrong
-8Minimalist Morpho Blue core: ~650 lines, immutable, no admin keys
+42Authorization model via callbacks (well-scoped)
+42MetaMorpho vaults add curator layer with controlled permissions
-8No emergency pause on base layer (by design)
receipt_longView provenance chainarrow_forward
Economic Soundness
Weight 13%78% conf
82
arrow_forwardStrong
-9Isolated markets: no cross-collateralization contagion
+41LLTV per market, clean liquidation math
+41Interest rate model (IRM) is modular and well-designed
-9Bad debt is isolated per market, not socialized across protocol
receipt_longView provenance chainarrow_forward
Oracle Integrity
Weight 13%76% conf
80
arrow_forwardStrong
+40Oracle-agnostic: each market specifies its own oracle
-10Risk delegated to market creators/curators
-10No protocol-level oracle validation (intentional design)
+40Popular markets use Chainlink, Morpho oracles wrapper
receipt_longView provenance chainarrow_forward
Battle-Tested Maturity
Weight 12%72% conf
65
arrow_forwardModerate
+13Morpho Blue live since Jan 2024 (~1.5 years)
+13Original Morpho Optimizer (2022) provides org maturity
+13Formally verified core contract
+13Rapid TVL growth to $5B but limited stress-test history
receipt_longView provenance chainarrow_forward
Governance & Upgradeability
Weight 10%75% conf
68
arrow_forwardModerate
+23Base layer is immutable (strong governance by design)
+23MetaMorpho curators have significant control over vault allocation
-32No protocol-level token governance yet (MORPHO token governance minimal)
+23Morpho Labs retains influence on ecosystem direction
receipt_longView provenance chainarrow_forward
Adversarial Resiliencelock
Weight 10%95% conf
54
Concerning
- Score derived from continuous adversarial security research
Operational Security
Weight 10%60% conf
59
arrow_forwardModerate
-10No branch protection detected
+15Active CI/CD (100% success rate)
+15Commit signing: 100% verified
-10Minimal development activity (2 commits/month)
receipt_longView provenance chainarrow_forward
Compositional Risk
Weight 5%74% conf
72
arrow_forwardGood
+18MetaMorpho vaults compose over base markets (curator trust)
+18Growing integration ecosystem (Steakhouse, Re7, Gauntlet curators)
+18Callback-based authorization enables complex composition
+18Vault reallocation can create cascading liquidity shifts
receipt_longView provenance chainarrow_forward
Cascade Exposure
Weight 5%90% conf
55
arrow_forwardModerate
+18Appears in 9 cross-protocol cascade chain(s)
+18Member of 8 dependency cluster(s)
-45Score: 55/100 (higher = more isolated from systemic risk)
+18Source: cross_protocol_composition.json dependency analysis
receipt_longView provenance chainarrow_forward
Supply Chain
Weight 4%88% conf
90
arrow_forwardExcellent
-5Extremely minimal dependency chain (by design)
-5No proxy patterns on base layer
+45Formal verification of core invariants
+45Clean, well-audited codebase (Spearbit, Cantina)
receipt_longView provenance chainarrow_forward
Risk Drivers
Primary risk factors driving this score, ordered by severity.
Adversarial Resilience54
Cascade Exposure55
Operational Security59
Adversarial Risk Signals
Observable security posture indicators. These signals reflect publicly verifiable information and responsible disclosure outcomes. No specific vulnerability details are exposed.
Disclosure HistoryNot Assessed
Remediation VelocityNot Assessed
Bug Bounty ProgramNot Assessed
Audit CoverageNot Assessed
Incident HistoryNot Assessed
Score History & Verification
Score provenance tracking begins with the next reassessment.
On-Chain Data
- Protocol Slug
- "morpho"
- Oracle
- BRORegistry (Base)
- Evidence
- IPFS (pinned)
- Staleness Threshold
- 24 hours
Read Score
registry.getScore("morpho")Reduce exploitable risk
BlackHart Monitoring provides continuous adversarial analysis, vulnerability detection, remediation support, and verified reassessment when your risk posture improves.