SolidityScan
HACK ANALYSIS 2 min read

MorphoBlue Hack Analysis

MorphoBlue Hack Analysis

Overview:

On October 13, 2024, the Morpho PAXG/USDC market was exploited due to an oracle misconfiguration resulting in a total loss of 230k USD

Smart Contract Hack Overview:

Attacker address: 0x02DBE4

Attack Contract : 0x4095F0

Vulnerable contract: 0xBBBBBb

Attack Transaction: 0x256979

Fig:Attack Transaction

Decoding the Smart Contract Vulnerability:

  • An exploit targeting Morpho’s PAXG/USDC market led to a $230K loss, stemming from a misconfigured oracle that valued gold at an astronomical $2.6 trillion.
  • The exploit was possible due to a misconfigured oracle, which mistakenly set the price of gold far above its real market value. The issue likely arose because the deployer misunderstood Morpho’s decimal system.
  • After discovering the inflated gold price, the attacker deposited just $350 in PAXG and then withdrew $250K, taking advantage of the highly overvalued asset.
  • The oracle’s SCALE_FACTOR was incorrectly configured, causing a 12-decimal inflation in PAXG pricing. This resulted from failing to reconcile USDC’s 6 decimals with PAXG’s 18 decimals, leading to a massive overvaluation factor of 10¹².
Fig: The root cause of the vulnerability
  • Although the UI displayed accurate market prices, the backend oracle calculations went unchecked. Monitoring focused on reference prices rather than verifying the final oracle price post-calculation.

Mitigation and Best Practices:

  • While decentralized platforms like Morpho offer robust functionality, precise configuration is essential, especially for oracles. Continuous risk monitoring, including detecting deviations between market and reference prices, is crucial to prevent such exploits.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Our public audit reports can be found on https://github.com/Credshields/audit-reports . Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 225+ detections at SolidityScan.
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

DeltaPrime Hack Analysis
vETH Token Hack Analysis