Morpho protocol suffered an exploit on October 13, 2024, resulting in an estimated loss of approximately $230,000 at the time of writing. The Morpho PAXG/USDC market was exploited due to a misconfiguration in Oracle Price setup in decimal different between the two tokens while calculating price.

Overview

Attacker: https://etherscan.io/address/0x02DBE46169fDf6555F2A125eEe3dce49703b13f5

Vulnerable Contract: https://etherscan.io/address/0xBBBBBbbBBb9cC5e90e3b3Af64bdAF62C37EEFFCb

Transaction attack: https://etherscan.io/tx/0x256979ae169abb7fbbbbc14188742f4b9debf48b48ad5b5207cadcc99ccb493b

Exploit Analysis

Morpho protocol allows users to create markets and configure the price to use Morpho’s Oracle. When creating PAXG/USDC market the deployer misconfigured the decimal of Base and Quote token to 8. These parameter is used to determine SCALE_FACTOR and calculate the price of the pair.

The mistake lies in the difference between the decimals of USDC (6 decimals) and PAXG (18 decimals). This caused a 12-decimal inflation in the price, overvaluing PAXG price by a factor of 10^12.

Reaslizing the misconfiguration, the attacker supplied $350 of PAXG to borrowed 230,000 USDC.

Lesson learned

Fetching the correct asset prices from oracle networks is crucial for DeFi applications. With a growing number of oracle solutions available, each with unique configurations and specific use cases, developers must thoroughly understand and carefully integrate the chosen oracle. It’s essential for DeFi developers to fully comprehend the oracle platform they plan to use, paying close attention to potential misconfigurations - particularly regarding asset decimals - to ensure accurate integration.

It is strongly recommended to conduct a security audit, whether it is a simple ERC20 contract with some minor changes or a complex DeFi protocol with hundreds of thousands of lines of code.