Overview
On October 13, 2024, the Morpho PAXG/USDC market was exploited due to a misconfigured oracle. This vulnerability allowed the attacker to withdraw $230,000 USD by exploiting an inflated gold valuation caused by a miscalculated SCALE_FACTOR in the price oracle. The issue arose due to an incorrect understanding of decimal differences between PAXG and USDC tokens
About Project
Morpho (formerly known as Morpho Blue) is a decentralized protocol enabling the overcollateralized lending and borrowing of crypto assets (ERC20 & ERC4626 Tokens) on the EVM. The protocol is implemented as an immutable smart contract, engineered to serve as a trustless base layer for lenders, borrowers, and applications.
Exploit Details
Vulnerable Contract Address: 0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb
Attack Transaction : 0x256979
Attacker Address : 0x02DBE46169fDf6555F2A125eEe3dce49703b13f5
Attack Process
The attacker identified a misconfiguration in the oracle price calculations for the PAXG/USDC market.
The oracle incorrectly valued PAXG due to a mismatched SCALE_FACTOR.
The SCALE_FACTOR was miscalculated because of a 12-decimal difference between USDC (6 decimals) and PAXG (18 decimals).
This caused PAXG to be overvalued by a factor of 10¹², setting gold’s price at $2.6 trillion.
Using the inflated price, the attacker deposited only $351 worth of PAXG tokens into the vulnerable market.
Exploiting the inflated collateral value, the attacker borrowed $230,000 in USDC.
The attacker successfully withdrew the borrowed USDC, causing a significant loss to the protocol.
The Root Cause
The SCALE_FACTOR for the oracle price calculations was incorrectly configured during the market creation process. Decimal differences between the tokens (PAXG with 18 decimals and USDC with 6 decimals) were overlooked, resulting in a 12-decimal inflation in PAXG’s valuation.
Flow of Funds
See the funds flow here:
How could they have prevented the Exploit?
Implement automated checks to ensure decimal consistency between base and quote tokens when configuring oracles.Implement limits on borrowable amounts based on absolute collateral values to prevent over-collateralization due to oracle errors.Engage with reputable audit firms like QuiilAudits to conduct comprehensive security audits and fix potential vulnerabilities before they can be exploited.
Why QuillAudits?
Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.
Decoding MorphoBlue’s $230K Exploit was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.