• On April 10, 2025, the Morpho team pushed an update to the Morpho App containing a configuration error, which led to token approvals being incorrectly given to the Bundler3 contract instead of its adapters.
• One user’s bundled transaction was intercepted by a whitehat’s (c0ffeebabe.eth) MEV bot, who has since returned the funds.
• The user was able to identify the issue with the help of their security partners, Fuzzland & Trail of Bits, and alerted the Morpho team.
• The Morpho team immediately rolled back the front-end update, eliminating the risk and restoring the safe use of the Morpho App.
• No additional actions were required by users.
• All Morpho smart contracts are safe and were not affected.

The Morpho App integrates a ‘Bundler’ contract that allows users to execute multiple operations in a single transaction. This feature enables significant user experience improvements, such as being able to combine several supply transactions or performing a swap, wrap, and deposit at once.

Prior to the incident, the Morpho App used Bundler2, which contained access controls directly within its core contract. It was planned to switch to Bundler3, the latest version of the Bundler, which implements a more flexible adapter architecture to enable a broader range of bundled transactions.

In order to be safely authorized by users, adapters can restrict some function calls depending on the value of the bundle’s initiator stored in Bundler3. For instance, an adapter that needs to hold some token approvals should call token.transferFrom with from being the address that initiated the bundle.

More on the Bundler3 here.

On April 10, 2025, the Morpho team pushed an update to the Morpho App to switch the transaction logic from Bundler2 to Bundler3.

Shortly after, a user submitted a bundled transaction through the Morpho App, but it was not executed as intended. Instead, funds were intercepted by a wallet belonging to a whitehat MEV bot (c0ffeebabe.eth), who has since returned the funds.

The user, with the help of their security partners, Fuzzland & Trail of Bits, quickly identified the misconfiguration in the Morpho App and contacted the Morpho team via Spearbit and SEAL911.

Within four minutes of receiving the alert, the Morpho team immediately rolled back the recent update to the front end, eliminating the risk and restoring safe interactions with the Morpho App.

At this point, all user approvals had been fully consumed by successful bundle transactions, and no funds were at risk.

The SDK version pushed in the update to the Morpho App had been incorrectly configured to send token approvals – for only the exact amount required for the transaction – to the Bundler3 contract and not the respective adapters.

Approvals should be given to the adapter and not Bundler3. While adapters can restrict function calls based on the bundle’s initiator, the Bundler3 contract itself was intentionally designed without this ability.

As a result, if approvals are given to the Bundler3, they can be intercepted by monitoring the mempool and front-running the bundled transaction, as occurred in this incident.

Only one transaction was front-run between the time Bundler3’s integration went live and when it was subsequently rolled back.

The sole transaction was intercepted by a white hacker (c0ffeebabe.eth) who since returned funds to the user and received a bounty.

No funds were lost.

At Morpho, our core development principle is ‘Security above all else,’ and we have previously shared our comprehensive security framework. We are disappointed by these events as this incident falls short of our standards and should never have occurred. Nonetheless, we remain committed to the highest security standards and will use this incident as an opportunity to strengthen our processes to prevent any issues in the future.

Following our initial, but certainly not the last, reviews of the events, we have already implemented/performed:

• A fix for the misconfiguration across the following SDK versions:
  • @morpho-org/bundler-sdk-viem@3.0.0-next.14
  • @morpho-org/blue-sdk-viem@3.0.0-next.6
  • @morpho-org/blue-sdk-ethers@3.0.0-next.4
• A cross-team comprehensive review of all SDK configurations and approval flows to ensure no gaps in the code exist.

Longer term, we plan to:

• Strengthen our offchain code review process and enhance our offchain security measures, especially regarding all code included in transaction flows: increase the number of reviewers, never use pre-released code for production, and add more tests regarding the token transfers.
• Monitor all approvals executed against the bundler to detect any misuse of Bundler3, even when not using our SDK.
• Modify the SDK to prevent any direct approvals to Bundler3.
• External audit of the SDKs.
• Extend our smart contract security framework to include our offchain stack.

Finally, we’re grateful to c0ffeebabe.eth, who secured and returned the affected transaction, and the user, Fuzzland, Trail of Bits, SEAL911, and Spearbit, who helped identify and address the issue.