DeFiPunk'd

Morpho

4 deployments · $7.2B aggregate TVL · Lending

Deployments

Each deployment is rated independently. Pick one to see its rating, risk analysis, and stage.
TVL $7.2B
Type Lending
Chains Ethereum, Base, Hyperliquid L1, Monad, Katana +31
View on DeFiLlama ↗
Control — tentative orange Ability to exit — tentative green Autonomy — tentative red (2/3 models submitted) Open Access — tentative orange (2/3 models submitted) Verifiability — tentative green Control Exit Autonomy Open Access Verifiable
Control criteria
Upgradeability Immutable Bug bounty immunefi.com Governance forum forum.morpho.org Docs docs.morpho.org
About

Morpho Blue is an immutable, permissionless lending primitive that allows anyone to create isolated lending markets. Users supply or borrow assets in markets defined by a loan token, collateral token, oracle, interest rate model (IRM), and liquidation loan-to-value (LLTV). The core contract has no pause mechanism, no upgrade path, and minimal governance powers limited to enabling new IRMs/LLTVs and setting protocol fees up to 25%.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

DEFI@home is a distributed audit network modeled on SETI@home: instead of CPU cycles, it crowdsources LLM reasoning. Paste a slice prompt into Claude, ChatGPT, Gemini, or any browsing-capable model, and submit the JSON output as a pull request. The quorum bot merges it once ≥3 independent runs (from different models) reach the same grade — no single model, and no single contributor, can move the needle alone. How it works →

  • Address discovery 48 addresses on file · 1 run Submit run ↗
  • Verifiability ✓ 3/3 models agree AI-only weak green — weak consensus margin; only 0/3 sources have a public chat share link; total support weight 0.52 below confidence floor (1.5) Submit run ↗
  • Control ✓ 3/3 models agree AI-only weak orange — weak consensus margin; only 0/3 sources have a public chat share link; total support weight 0.44 below confidence floor (1.5) Submit run ↗
  • Ability to exit ✓ 3/3 models agree AI-only weak green — only 0/3 sources have a public chat share link; total support weight 0.08 below confidence floor (1.5) Submit run ↗
  • Autonomy 2/3 submitted Submit run ↗
  • Open Access 2/3 submitted Submit run ↗
  • Audit all 5 dimensions · one prompt Submit run ↗
  1. Verifiability tentative 3/3 models agree AI-only 0/3 with chat share link
    Core Morpho Blue contracts fully verified on Etherscan, immutable (no proxy), sourced from pinned GitHub tags, and audited by multiple tier-1 firms including Spearbit, OpenZeppelin, Certora, and ChainSecurity
    Verdict

    Choosing green because the core Morpho Blue singleton (the primary fund-custody contract) is verified on Etherscan without proxy wrapping, tied to a public GitHub repo at a pinned v1.0.0 tag, immutable by design, and covered by audits from Spearbit, OpenZeppelin, and Certora at the time of deployment. The Vault V2 layer (MetaMorpho) received six separate 2025 audits from recognized firms. The missing bytecode diff is recorded in unknowns[] as a scope limit per rubric, not a downgrade signal, because the core contract's immutability makes post-audit drift structurally impossible, and the peripheral vault contracts have recent, thorough audit coverage.

    Steelman argument
    Steelman argument The core Morpho Blue singleton is immutable and verified on Etherscan with ABI sourced from Etherscan (not 'similar match'), it is not a proxy, it is tied to a public GitHub repo at a pinned v1.0.0 tag, and was audited by at least three recognized tier-1 firms (Spearbit, OpenZeppelin, Certora) covering the deployed version. Vault V2 received six separate 2025 audits from recognized firms including Spearbit, ChainSecurity, Zellic, Blackthorn, and Certora formal verification. The docs-to-GitHub linkage is explicit and commit-pinned.
    Evidence (6)
    V1
    Morpho Blue core singleton (0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb, Ethereum) is verified on Etherscan (abiSource='etherscan', verified=true) and is NOT a proxy (proxy=null per /api/contract/abi response). The contract is explicitly immutable. The Adaptive Curve IRM (0x870aC11D48B15DB9a138Cf899d20F13F79Ba00BC) and other periphery contracts (MetaMorpho factories, VaultV2Factory, etc.) are also listed with source code links pointing to pinned GitHub tags in the official deployed-addresses doc.
    V2
    The official Morpho docs (llms-full.txt) explicitly map every deployed contract to its GitHub source repo and tag: Morpho Blue core → github.com/morpho-org/morpho-blue/tree/v1.0.0; Adaptive Curve IRM → morpho-blue-irm/tree/v1.0.0; MetaMorpho V1.1 → metamorpho-v1.1/tree/5a0717b2...; Bundler3 → bundler3/tree/82e44dd...; Vault V2 → vault-v2; Pre-liquidation factory → pre-liquidation/tree/16978c5.... Commit SHAs are pinned in the docs for peripheral contracts. V2 repo-to-explorer matching was not independently compiled in this run.
    V3
    Audit coverage confirmed via official docs (llms-full.txt audit table): Morpho Blue V1 core audited by Spearbit (Oct 2023), OpenZeppelin (Oct 2023), Cantina Contest (Nov–Dec 2023); MetaMorpho periphery audited by Spearbit (Nov 2023), OpenZeppelin (Nov 2023), Cantina Contest (Nov–Dec 2023); pre-liquidation periphery audited by Spearbit (Oct 2024), ABDK (Nov 2024); MetaMorpho V1.1 diff audited by Spearbit (Nov 2024), OpenZeppelin (Nov 2024); Public Allocator audited by Spearbit (Mar 2024); Vault V2 audited by Spearbit (May, Aug, Nov 2025), ChainSecurity (Sep 2025), Blackthorn (Sep, Dec 2025), Zellic (Jul 2025), Cantina Contest (Jul 2025), Certora (Dec 2025). Certora formal verification also applied to core and IRM math.
    V4
    Auditors confirmed to be broadly recognized: Spearbit (tier-1), OpenZeppelin (tier-1), Certora (formal verification specialist), ChainSecurity (recognized), Zellic (recognized), ABDK Consulting (recognized). All firms are on the recognized list in the rubric.
    V5
    Morpho Blue core (v1.0.0) and Adaptive Curve IRM (v1.0.0) are explicitly described as immutable — no post-deployment code changes are possible for these fund-custody contracts. For Vault V2 (the upgradeable-by-design curator vault layer), audits by Spearbit, ChainSecurity, Zellic, Blackthorn, and Certora were conducted in 2025 covering the currently-deployed codebase. No material drift between audit scope and deployed code is documented; a bytecode diff was not performed in this run.
    V6
    The Morpho Blue core singleton returns proxy=null from the DeFiPunkd ABI API, confirming it is NOT a proxy — it is a non-upgradeable singleton. There is no implementation contract to separately verify. The ABI source is 'etherscan'. Peripheral contracts (MetaMorpho factories, VaultV2Factory) are factory-deployed clones whose source is verified at the factory level per the docs.
    Why is this consensus tentative?
    • weak consensus margin
    • only 0/3 sources have a public chat share link
    • total support weight 0.52 below confidence floor (1.5)

    A fresh independent run can strengthen (or overturn) the verdict.

    Run your own prompt Submit run ↗
    Sources claude-sonnet-4-6 (autorun) no url gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗
  2. Control tentative 3/3 models agree AI-only 0/3 with chat share link
    Immutable core (no upgrade/pause) owned by 5/9 multisig with no timelock; highest reachable tier is T2 (bounded fee switch ≤25%)
    Verdict

    Choosing orange because the 5/9 multisig directly controls T2 functions (fee switch, fee recipient, IRM/LLTV whitelisting) with zero on-chain timelock delay. While the immutable core means T1 is genuinely unreachable (no upgrade, no pause, no fund access), the multisig fails the Security Council standard (signer identities not publicly verified in fetched evidence) and sits on a T2 path with 0-second delay. Per the rubric, 'a multisig failing one or more Security Council criteria sits on a T1/T2 path' maps to orange. The green case is strong — the on-chain fee cap at 25% and absence of any fund-critical function make the blast radius genuinely limited — but the zero timelock and unverified signer independence prevent green.

    Steelman argument
    Steelman argument Despite the immutable core limiting blast radius to T2, the 5/9 multisig sits on the T2 path with zero on-chain timelock, fails full Security Council criteria (signer identities unverified), and Snapshot voting provides no on-chain enforcement.
    Evidence (7)
    C1
    Morpho Blue core singleton (0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb) owner() returns 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa, which is the 5/9 DAO governance multisig. The owner can call setOwner, setFee, setFeeRecipient, enableIrm, enableLltv. There is no pendingOwner, no admin, no governor, no proxy admin.
    C2
    Morpho Blue is an immutable (non-proxy) singleton contract. The surfacer page shows ABI source 'etherscan' with no proxy resolution. There is no upgradeToAndCall, no implementation slot, no proxy admin. The contract cannot be upgraded.
    C3
    Execution path: Snapshot off-chain vote → 5/9 multisig (0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa) → direct call to Morpho Blue. No timelock contract interposes. Uncontested fast-path delay = 0 seconds. The DAO Executor (0xcBa28b381748926701ed11F1702b210C04965C44) has no verified ABI and is NOT the current owner of the core contract; it appears to be a legacy/auxiliary contract.
    C4
    The 5/9 multisig has 9 signers: 0xe0aeb6811d33Df42A09066857CDaFca16b506086, 0x84D3E4EE550DD5F99e76a548aC59a6BE1C8dCf79, 0xC100c251bdD297A66795112f04356E6BA5f89D80, 0x264c86DBbD2E4165FbBf0C35b0ddf0e00AEc6b31, 0x30E7c016fC702cDe9A50720a469d418490b7b652, 0x8f02b4a44Eacd9b8eE7739aa0BA58833DD45d002, 0xCF263cEe139763114fAaFC5F52865135412F50Ec, 0x69FcEFDe2B48503d675181448B3D4272128bca9c, 0x13cA8756E9470b71B8e998352c8741706217f963. Threshold is 5 (56%). Gnosis Safe version 1.3.0. Signer identities (insider vs non-insider) could not be verified from fetched evidence.
    C5
    No on-chain governance contract (Governor/GovernorBravo/Aragon). Morpho uses Snapshot (off-chain) voting with 500k MORPHO proposal threshold. Per docs, voting period is 72 hours. Actions approved by Snapshot vote are then executed by the 5/9 multisig, which is the sole on-chain enforcement point.
    C6
    No emergency pause mechanism exists on the Morpho Blue core. The contract ABI contains no pause/unpause/paused function. Governance cannot halt market operations or freeze user withdrawals.
    C7
    Highest reachable tier: T2. The owner can call setFee (bounded by MAX_FEE ≤ 25% of borrower interest, enforced on-chain via require(newFee <= MAX_FEE)), setFeeRecipient (redirect protocol fees), enableIrm/enableLltv (whitelist new parameters for future market creation but cannot modify existing markets). The owner CANNOT: upgrade the contract, pause withdrawals, drain funds, change existing market oracles/LLTVs/IRMs. T1 is unreachable because the core is immutable and has no fund-critical admin functions.
    Why is this consensus tentative?
    • weak consensus margin
    • only 0/3 sources have a public chat share link
    • total support weight 0.44 below confidence floor (1.5)

    A fresh independent run can strengthen (or overturn) the verdict.

    Run your own prompt Submit run ↗
    Sources claude-opus-4-6 (autorun) no url gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗
  3. Ability to exit tentative 3/3 models agree AI-only 0/3 with chat share link
    Fully permissionless exit with no pause mechanism or admin controls on withdrawal functions
    Verdict

    Choosing green because Morpho Blue is an immutable contract with no pause guards on any exit function (withdraw, withdrawCollateral, repay), no upgrade mechanism that could introduce pause controls, and limited governance powers that explicitly cannot block user exits. The only constraint on withdrawal is market liquidity (totalBorrowAssets <= totalSupplyAssets), which is an economic rather than admin control. The 5-of-9 multisig owner can enable new IRMs/LLTVs and set fees up to 25%, but cannot pause markets or prevent users from withdrawing. This is the strongest exit guarantee possible in DeFi lending.

    Steelman argument
    Steelman argument Exits are permissionless, instantly executable on-chain, with no pause mechanism, no admin control over withdrawal functions, and an immutable contract that guarantees this property cannot change.
    Evidence (7)
    E1
    Three user-facing exit functions exist: withdraw() for lenders to redeem loan tokens, withdrawCollateral() for borrowers to reclaim collateral, and repay() for borrowers to exit debt positions. All are public external functions with no restrictive modifiers.
    E2
    The withdraw(), withdrawCollateral(), and repay() functions contain zero pause guards. The only access control is _isSenderAuthorized() which checks msg.sender == onBehalf || isAuthorized[onBehalf][msg.sender], allowing users or their authorized delegates to exit. No admin, owner, or governance role can block these calls.
    E3
    The Morpho Blue core contract (0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb) has no pause mechanism. The source code contains no pause state variable, no whenNotPaused modifier, and no pause-related functions. The contract is immutable (not upgradeable), so no pause mechanism can be added post-deployment.
    E4
    No emergency vs governance pause distinction exists because no pause mechanism exists at all. The owner (5-of-9 multisig 0xcBa28b38103307Ec8dA98377ffF9816C164f9AFa) can call setOwner, enableIrm, enableLltv, setFee (capped at 25% MAX_FEE), and setFeeRecipient, but none of these functions affect user ability to exit.
    E5
    No queued redemption mechanism exists. Withdrawals are instant subject only to available liquidity. The withdraw function requires market[id].totalBorrowAssets <= market[id].totalSupplyAssets, meaning lenders can exit immediately if liquidity exists. No time delays, withdrawal caps, or queue system.
    E6
    No forced-exit or escape-hatch mechanism is needed because exits are already fully permissionless and cannot be blocked by admins. The immutable contract design guarantees this property permanently.
    E7
    All exit functions are directly callable on-chain without frontend dependency. The ABI is publicly verified on Etherscan, and users can call withdraw, withdrawCollateral, or repay via any Ethereum wallet, block explorer write interface, or direct contract interaction.
    Why is this consensus tentative?
    • only 0/3 sources have a public chat share link
    • total support weight 0.08 below confidence floor (1.5)

    A fresh independent run can strengthen (or overturn) the verdict.

    Run your own prompt Submit run ↗
    Sources claude-sonnet-4-5 (autorun) no url gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗
  4. Autonomy 2/3 models submitted
    Red: unmitigated per-market oracle/IRM/token failures can lose principal; impacted TVS up to ~100% of an affected market/vault
    Tentative grades
    • gpt-5.5 red
    • gemini-3-flash-preview green

    No quorum yet — verdict and steelman hidden until ≥3 models agree.

    Evidence (15)
    A1
    Morpho Blue markets are parameterized by loanToken, collateralToken, oracle, irm, and lltv; the core contract calls ERC20 transfer/transferFrom, calls IIrm.borrowRate during market creation/accrual, and calls IOracle.price for borrow health checks, collateral withdrawal health checks, and liquidations. If a market token reverts/misbehaves, an IRM reverts/returns an extreme rate, or an oracle misprices/reverts, that market can become stuck, accrue incorrectly, create bad debt, or liquidate/seize collateral incorrectly.
    A2
    No protocol-level reporter committee is present in the Morpho Blue or MetaMorpho source inspected; reporting risk is inherited from each market's chosen oracle contract/provider rather than from a Morpho-operated committee.
    A3
    The inspected core and vault source does not implement a bridge or cross-chain messaging path for a required user flow; deployments on non-Ethereum chains appear to be independent protocol instances rather than bridged accounting for one shared pool.
    A4
    Nested collateral and receipt-token risk is per-market: Morpho accepts arbitrary ERC20 loan/collateral tokens subject to documented token/oracle/IRM assumptions, so an LST, LRT, ERC4626, or receipt-token failure propagates to users and vault allocations in that isolated market, not automatically to unrelated markets.
    A6
    Core Morpho Blue has no oracle fallback, second-opinion price check, or circuit breaker in the inspected code; the live mitigation is market isolation. MetaMorpho adds live code-level supply caps, timelocked cap increases, try/catch skipping of reverting markets on deposit/withdraw, and forced market removal, but forced removal explicitly writes off previously supplied funds and therefore is recovery for vault liveness, not principal preservation.
    A7
    Ethereum deployment has no additional sequencer dependency beyond the base chain; pinned non-Ethereum deployments on Base, Arbitrum, Polygon, Optimism, Unichain, and World Chain add chain-level liveness/sequencer assumptions that can freeze access without changing Morpho's own contract accounting.
    A8
    Liquidation is an external permissionless function, so no privileged keeper is required, but practical solvency depends on liquidators calling liquidate when positions become unhealthy; if nobody liquidates during adverse price moves, bad debt can remain in the affected market.
    A9
    Existing Morpho Blue market parameters are stored by market id and cannot be swapped for an already-created market; the owner can enable new IRMs and LLTVs for future markets, while MetaMorpho owner/curator roles can introduce a new market dependency into a vault by raising a cap after the vault timelock, and allocators can route among already-enabled capped markets.
    A1
    Morpho Blue core calls external Oracle and Interest Rate Model (IRM) contracts for each market. These are specified at market creation and are immutable for that market ID.
    A2
    Most markets rely on Chainlink or other oracle committees; however, the protocol is oracle-agnostic and does not mandate a specific provider at the core level.
    A3
    Deployments on Base, Arbitrum, and Optimism depend on canonical bridges for asset liveness (e.g., WSTETH, USDC).
    A6
    The core Morpho Blue contract is immutable and contains no global pause or circuit breaker; failure mitigation is handled through market isolation.
    A7
    L2 deployments (Base, Arbitrum, etc.) are subject to centralized sequencer risk for liveness, consistent with the underlying substrate.
    A8
    Liquidations are permissionless and can be triggered by any off-chain actor via the 'liquidate' function, ensuring no dependency on a privileged keeper set.
    A9
    The Morpho Blue core is immutable; while the DAO can enable new IRMs or LLTVs, it cannot modify the parameters (including oracles) of existing markets.
    Why is this slice uncertain?
    • only 2 of 3 model submissions on record — quorum requires ≥3 agreeing models
    • submitted models do not yet agree on a single grade

    A fresh independent run can establish (or overturn) a verdict.

    Run your own prompt Submit run ↗
    Sources gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗
  5. Open Access 2/3 models submitted
    Core contracts admit users directly, but official metadata contains country-based market blacklists.
    Tentative grades
    • gpt-5.5 orange
    • gemini-3-flash-preview green

    No quorum yet — verdict and steelman hidden until ≥3 models agree.

    Evidence (14)
    A1
    Morpho Blue core user entry/exit functions are external direct calls, and the checked source had no matches for onlyWhitelisted, onlyRole, allowlist, isAccredited, or isKYCed; MetaMorpho vault deposit, mint, withdraw, and redeem are public ERC-4626 functions, while role modifiers govern vault management rather than depositor admission.
    A2
    Core supply, repay, supplyCollateral, liquidate, and flashLoan do not require an off-chain operator to admit the transaction; withdraw, borrow, and withdrawCollateral require the caller to be the position owner or an address authorized by that owner, and borrow/withdrawCollateral use onchain health checks rather than a relayer approval path.
    A3
    The official Terms of Use contain passive eligibility, sanctions, restricted-territory, and VPN-circumvention restrictions, while the official metadata repository states that the API data controls country-based market blacklists and the current markets-blacklist file includes US/GB and global entries for specific market IDs.
    A3b
    Morpho documents direct contract-level access through block explorers if the interface is unavailable, and public explorers expose Read Contract and Write Contract tabs for the deployed Morpho contract; those paths bypass the official website but are technical compared with the hosted app.
    A4
    The reviewed Morpho.sol and MetaMorpho.sol source did not show an onchain sanctions oracle, OFAC list, user blocklist, or admin-updatable address blacklist in the user-facing admission paths.
    A5
    Read access is public through verified explorer pages, public Solidity getters, and extSloads; write access to core supply/borrow/repay/withdraw/collateral/liquidation/flash-loan functions and vault deposit/mint/withdraw/redeem functions is contract-direct, subject to balances, liquidity, health checks, and user-granted authorization rather than KYC.
    A6
    The Terms of Use define the official Apps as Morpho Association interfaces for reading information from and submitting transactions to Morpho Protocols, and include restricted-territory and sanctions eligibility language.
    A1
    The core Morpho Blue contract (Morpho.sol) contains no whitelist or allowlist modifiers on user-facing functions including supply, withdraw, borrow, repay, liquidate, and createMarket. All these functions are marked as external and lack access control restrictions for general users.
    A2
    Admission to the protocol is entirely on-chain and permissionless; no off-chain operators, keepers, or sequencers are required to approve or admit user actions. Users interact directly with the immutable singleton contract.
    A3
    The official interface (app.morpho.org) enforces A3-active restrictions. The Terms of Service explicitly state the use of geo-blocking technology to restrict access from the United States and other jurisdictions.
    A3b-ii
    Multiple independent, third-party access paths exist that are not bound by the official Morpho ToS. These include the cp0x pi-morpho-interface (morpho.cp0x.com), which is open-source and operated by a separate entity, as well as integrations by DeFi Saver and Instadapp.
    A4
    The Morpho Blue core contract does not implement any on-chain sanctions blocklists or compliance screening logic (e.g., no integration with Chainalysis or OFAC oracle at the contract level).
    A5
    Both read access (state inspection) and write access (transaction execution) are permissionless at the contract level. Anyone can query market state or execute core lending functions without prior authorization.
    A6
    The Morpho Terms of Service (Section 3) state: 'You are not a person or entity who is a resident of, or is located, incorporated or has a registered office in... the United States of America... We use geo-blocking technology to prevent access to the Interface from Restricted Jurisdictions.'
    Why is this slice uncertain?
    • only 2 of 3 model submissions on record — quorum requires ≥3 agreeing models
    • submitted models do not yet agree on a single grade

    A fresh independent run can establish (or overturn) a verdict.

    Run your own prompt Submit run ↗
    Sources gpt-5.5 no url gemini-3-flash-preview no url View raw submissions ↗

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Morpho Blue has not yet been assessed under the DeFiScan v2 stage framework.
The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.
Scope of assessment
Stages are assessed per-protocol against DeFiScan v2's criteria: governance structure, upgradeability path, timelock durations, emergency-council scope, and the walkaway test. The analysis depends on onchain discovery (roles, owners, timelocks) and deeper review of deployed contracts — neither of which DeFiPunk'd automates at Phase 0.
Stage 0 requirements pending
Governance is largely off-chain, contracts are upgradeable with short or no timelock, and the protocol depends on a multisig or team with full discretion. At Phase 0 DeFiPunk'd does not automatically evaluate these; the assessment lands with crawler-based onchain discovery.
Stage 1 requirements pending
Users can exit or opt out on their own terms even if the team disappears. Upgrades run through a meaningful timelock with an emergency security council clearly scoped. The walkaway test is the headline criterion.
Stage 2 requirements pending
Protocol is fully permissionless and immutable, or upgrades require a supermajority of token holders with a long timelock and no emergency override. This is the terminal stage of the DeFiScan v2 framework.
Learn more about DeFiScan v2 stages →
Stages are an opinionated assessment of maturity, not a rating of security or safety. A protocol can sit at Stage 2 and still carry substantial technical or economic risk; the framework exists to incentivize decentralization, not to rank protocols.

Contract surface

Every contract in scope for this protocol — pooled from DeFiLlama's TVL adapter (mechanical) and DEFI@home discovery submissions (LLM-curated). Verified-source flags come from Etherscan + Sourcify; owner / multisig metadata is read on-chain when available. Reviewer audit context, not a slice score. A lending protocol's adapter set will list third-party collateral tokens alongside its own contracts; attribution is the grader's job.

  • 108addresses
  • 19verified source
  • 4proxies
  • 7of 10 owners are Safes

TVL adapter pinned at 683d369. Sourcecode fetched 2026-05-06. Control fetched 2026-05-07.

abstractmorphoBlue0xc85c…8b55TVL
arbitrumUUPSProxy0x0107…4ed3TVLproxy
arbitrumTransparentUpgradeableProxy0xf8b3…6b57TVLproxy0x44cb…76bc
arbitrumMorpho0x6c24…8f5eTVL0xfd35…d9b25/9 Safe
baseMorphoChainlinkOracleV2Factory0x2dc2…bd3dTVL
baseAdaptiveCurveIrm0x4641…2687TVL
base0x5e33…db15TVL
base0x6ee1…08c3TVL
base0xadcd…3d8aTVL
base0xadcd…3d8eTVL
base0xcb32…22faTVL
baseGMORPHO0xda1c…0ccdTVL
baseMorpho0xbbbb…ffcbTVL
baseFiatTokenProxy0x8335…2913TVLproxy
Basemultisig (DAO governance on Base, 5/9)0xcba2…9afadiscoverymultisig
Basemultisig (rewards on Base, 3/5)0x5eb9…3297discoverymultisig
bscMorpho0x01b0…a83aTVL
btnxmorphoBlue0x8183…beadTVL
btrmorphoBlue0xaea7…31c6TVL
celoMorpho0xd24e…a569TVL0xf9d3…32c95/9 Safe
citreamorphoBlue0x99d3…aeb8TVL
cornmorphoBlue0xc2b1…dd90TVL
ethereum0x8413…bc83TVL
ethereum0x84b7…5a9bTVL
ethereumMorpho0xbbbb…ffcbTVL + disc0xcba2…9afa5/9 Safe
Ethereumadmin (DAO Executor, role unverified on-chain)0xcba2…5c44discoverygovernance
Ethereumfactory (MetaMorpho Factory OLD)0xa9c3…1101discoveryfactory
Ethereumfactory (MetaMorpho Factory V1.1)0x1897…5c24discoveryfactory
Ethereumfactory (MorphoChainlinkOracleV2Factory)0x3a7b…d766discoveryfactory
Ethereumfactory (MorphoMarketV1AdapterV2Factory)0x32bb…ccc1discoveryfactory
Ethereumfactory (MorphoVaultV1AdapterFactory)0xd1b8…3394discoveryfactory
Ethereumfactory (PreLiquidation Factory)0x6ff3…3476discoveryfactory
Ethereumfactory (Universal Rewards Distributor Factory)0x9baa…7c8ddiscoveryfactory
Ethereumfactory (VaultV2Factory)0xa1d9…0405discoveryfactory
Ethereummultisig (DAO governance, 5/9)0xcba2…9afadiscoverymultisig
Ethereummultisig (rewards, 3/5)0xf057…b2e9discoverymultisig
Ethereumother (Adaptive Curve IRM)0x870a…00bcdiscovery
Ethereumother (Market Rewards Program Registry)0x5148…ce7ddiscoveryfactory
Ethereumother (MorphoOFTAdapter, LayerZero bridge)0x50d3…49d9discoverybridge
Ethereumother (MorphoRegistry)0x3696…364ediscovery
Ethereumother (Public Allocator)0xfd32…c75ddiscovery
Ethereumother (Rewards Emission Data / EmissionDataProvider)0xf27f…de8ediscovery
Ethereumother (Rewards Manager Proxy, TransparentUpgradeableProxy)0x7868…c80ddiscovery
Ethereumother (Universal Rewards Distributor)0x330e…1ddbdiscovery
Ethereumowner (Morpho Blue initial owner at deployment; current owner unverified)0x6abf…f6a2discovery
Ethereumrouter (AaveV2MigrationAdapter)0x4028…961bdiscoveryrouter
Ethereumrouter (AaveV2MigrationBundler)0xb3dc…8e76discoveryrouter
Ethereumrouter (AaveV3MigrationAdapter Core)0xb09e…d475discoveryrouter
Ethereumrouter (AaveV3MigrationAdapter EtherFi)0x4011…9ca3discoveryrouter
Ethereumrouter (AaveV3MigrationAdapter Prime)0x2cc8…b806discoveryrouter
Ethereumrouter (AaveV3MigrationBundler)0x98cc…9bdcdiscoveryrouter
Ethereumrouter (AaveV3OptimizerMigrationAdapter)0x9e2e…d972discoveryrouter
Ethereumrouter (AaveV3OptimizerMigrationBundler)0x16f3…2f9cdiscoveryrouter
Ethereumrouter (Bundler3)0x6566…0245discoveryrouter
Ethereumrouter (CompoundV2MigrationAdapter)0x9b89…1101discoveryrouter
Ethereumrouter (CompoundV2MigrationBundler)0x26bf…8647discoveryrouter
Ethereumrouter (CompoundV3MigrationAdapter)0xdba5…6773discoveryrouter
Ethereumrouter (CompoundV3MigrationBundler)0x3a0e…9558discoveryrouter
Ethereumrouter (ERC20WrapperAdapter)0xf83d…f962discoveryrouter
Ethereumrouter (EthereumBundler legacy)0xa799…5107discoveryrouter
Ethereumrouter (EthereumBundlerV2)0x4095…0077discoveryrouter
Ethereumrouter (EthereumGeneralAdapter1)0x4a6c…0ae0discoveryrouter
Ethereumrouter (ParaswapAdapter)0x03b5…c38fdiscoveryrouter
Ethereumtoken (Legacy MORPHO token)0x9994…0999discoverymultisig
Ethereumtoken (MORPHO ERC-20 proxy)0x58d9…c2b2discoverytoken
Ethereumtoken (MORPHO wrapper)0x9d03…5123discoverytoken
etlkmorphoBlue0xbce7…876eTVL
flaremorphoBlue0xf434…e8b0TVL
fraxtalMorpho0xa603…653bTVL0x4194…4917
hemimorphoBlue0xa4ca…1f42TVL
hyperliquid0x66a1…e110TVL
hyperliquidmorphoBlue0x68e3…57cdTVL
inkmorphoBlue0x857f…3042TVL
katanamorphoBlue0xd50f…8abcTVL
lineaMorpho0x6b0d…2c9fTVL0x9131…e4545/9 Safe
liskmorphoBlue0x00cd…7bf8TVL
modemorphoBlue0xd85c…0564TVL
monadmorphoBlue0xd5d9…eaeeTVL
optimismMorpho0xce95…af92TVL
optimismOssifiableProxy0x1f32…4ebbTVLproxy
plume_mainnetmorphoBlue0x42b1…0bb5TVL
polygon0x12fd…44d2TVL
polygon0x2faa…1d35TVL
polygon0x316c…d08fTVL
polygon0x338a…4387TVL
polygon0x365a…a6bdTVL
polygon0x45d4…8da9TVL
polygon0x8a87…d02fTVL
polygon0xa39c…9719TVL
polygon0xaffc…9dfdTVL
polygon0xc69e…215bTVL
polygon0xc705…9633TVL
polygon0xc7a3…aab7TVL
polygon0xd59a…093eTVL
polygon0xf14c…fb44TVL
polygonMorpho0x1bf0…5f67TVL0x9200…aaa45/9 Safe
scrollmorphoBlue0x2d01…5a55TVL
seimorphoBlue0xc9cd…094cTVL
soneiummorphoBlue0xe75f…a53aTVL
sonicMorpho0xd6c9…a95fTVL0xaafc…859d
stablemorphoBlue0xa401…102eTVL
stableUSDT00x779d…3736TVL
tacmorphoBlue0x918b…d35cTVL
tempomorphoBlue0x10ee…8f97TVL
unichainMorpho0x8f5a…140aTVL0xee2e…b3725/9 Safe
wcmorphoBlue0xe741…f432TVL
xdaiMorpho0xb74d…1c66TVL0xfc3b…13d85/9 Safe
zircuitmorphoBlue0xa902…a5c8TVL

Protocol Info

Links

[defillama] Source: DeFiLlama [:] Source: DEFI@home quorum
Website
https://morpho.org
Twitter
@Morpho
GitHub
9 repositories
Docs
https://docs.morpho.org/
Governance forum
https://forum.morpho.org/
DefiScan
DefiScan · Stage 1

Security

[:] Source: DEFI@home quorum
Audits
12 audits
Bug bounty
https://cantina.xyz/bounties/35a5f0a1-2ffd-432c-8f3b-77d169add8c3
Security contact
security@morpho.org

Technical

[:] Source: DEFI@home quorum
Voting token
MORPHO Ethereum: 0x58D97B57BB95320F9a05dC918Aef65434969c2B2
Deployed contracts
https://docs.morpho.org/get-started/resources/addresses
Upgradeability
Mixed (some immutable, some upgradeable)

Provenance

[defillama] Source: DeFiLlama [:] Source: DEFI@home quorum
Review status
listed
Updated
2026-06-02 13:51 UTC