Securing Morpho Midnight

Protocol

Introduction

Morpho Midnight is designed with security as the number one priority, with a small set of explicit choices made before any line of code is written:

  • Simplicity
  • Immutability
  • Noncustodiality

This article covers the security principles behind Morpho Midnight and how the protocol is designed, built, formally verified, and audited.

The Morpho Principles

The three principles that govern every Morpho protocol in the design phase.

Simplicity

Morpho Midnight is 1100 lines of code. That is the entire protocol.

The base layer of Morpho Midnight is deliberately small. Traditional DeFi lending protocols have thousands of lines of code, and every extra line expands the attack surface. The most sophisticated attackers in the world continuously search for exploits at the smart contract layer. We keep the base layer narrow so there is nothing extra to attack.

Morpho Midnight includes the core primitives of a fixed-rate, fixed-maturity credit network, and nothing more. We optimized for a specification that is as simple as possible without losing generality, because a smaller spec is easier to secure.

Any specific use case is built on top of those primitives, and never affects the security of the base layer.

Immutability

All Morpho smart contracts are immutable and non-upgradable. Once deployed, no one can upgrade, pause, or alter them.

  • Continuous Lindy Effect. The longer a Morpho contract has been live without incident, the stronger its Lindy Effect grows. Upgradable contracts reset their Lindy Effect with every change.
  • Governance minimized. MORPHO token holders do not govern curation at the Morpho Market or Vaults layer, nor can anyone pause the protocol or remove markets. For Morpho Midnight, MORPHO token holders are restricted to very scoped actions: expanding the set of allowed LLTV and LIF values market creators can choose from, and activating protocol fees within the contract's immutable caps. Per-market parameters are immutable once chosen.

Noncustodiality

Custody exposes control risks of smart contracts.

As smart contract audits become more rigorous, the world's most sophisticated attackers have increasingly shifted their focus to the access-control layer of onchain infrastructure. Hacks in late 2025 and early 2026 highlighted that offchain compromises of custody access have become a new attack vector.

Morpho solves this problem by taking custody out of the picture altogether.

Morpho Blue, and now Morpho Midnight, smart contracts are immutable and completely unmanaged, with risk curation externalized via Morpho Vaults. Since the core logic of the protocol cannot be changed, the protocol has zero exposure to attacks on the access-control layer.

Design and Build: How These Principles Are Applied in Morpho Midnight

At Morpho, there is no separation between design and implementation. Both go hand in hand, and a single team is responsible for designing, testing and implementing the protocol. This ensures that everything is built with security in mind, right from the start.

Design

Every line of code had to earn its place: we kept a feature only when it could not be built on top cleanly, through clean abstractions.

  • Follow first principles. We don't follow other protocols. Every design decision starts from first principles, and the team challenges each one openly. The default answer to any feature is no, until someone demonstrates the protocol cannot meet its requirements without it.
  • Scope minimally by default. We scope the protocol minimally by default and aim for the 80/20: cover the core needs with as little complexity as possible. We do not treat modularity as an end in itself. Only components whose responsibilities and interfaces are narrow, explicit, and easy to reason about should be modularized. When boundaries are blurry and components rely on broad or subtle assumptions about one another, modularization can become leaky, add complexity, and ultimately weaken security.
  • Simplicity over optimization. Code complexity carries a real cost. There are always optimizations we could make, but most of the time the gain is not worth the cost to security and verifiability, especially for an immutable protocol. Simple code is code that humans can read, tools can verify, and tests can fully cover.
  • Long-term thinking. Morpho contracts are immutable. Once deployed, they have to work for years, regardless of how lending markets, oracles, or integrators evolve. Every design decision is made with that horizon in mind, not just for the present.

Continuous formal verification

Beyond standard tests such as unit tests, fuzzing, and AI scanning, Morpho runs extensive formal verification, a much stronger form of testing.

Formal verification uses mathematical methods to prove that a smart contract satisfies certain properties for every possible input, not just the ones a tester thinks to try. It helps uncover edge cases where assumptions break.

Formal verification tests are used during the design and build phase to ensure each line of code does exactly what it is supposed to do: no more, no less.

Formal verification is now common practice in DeFi. However, the work is often outsourced to third parties, such as Certora, without in-house capabilities. At Morpho, ownership of formal verification is internal. The engineers designing and developing the protocol also work on formal verification, ensuring that they have all the required context.

This is even more true for Morpho Midnight. From the start of development, Midnight has had:

  • Dedicated in-house engineers focused on formal verification.
  • Certora engineers working on Midnight specifically, continuously alongside the protocol team (not just as a one-off exercise after development).

Running verification alongside development surfaces issues while there is still time to redesign rather than patch. Beyond finding bugs, formal verification helps us understand and document the spec of the smart contract more deeply. Because Morpho Midnight is small, formal verification can cover the entire codebase.

View the verification of Morpho Midnight here.

Post-Build Phase: Audits

After the build phase, Morpho Midnight was put through overlapping layers of independent review and a public audit competition.

Reports for all audits can be found here.

External audits

Once internal testing concluded, Morpho Midnight was audited by several of the best auditors in the space.

So far, the protocol has been through four external audits, conducted by Spearbit, Stermi, Trust Security, and Blackthorn, each operating under its own threat model.

Public audit competition

After the private audits, Morpho Midnight went through a public audit competition on Cantina. The format puts the code in front of a much larger pool of security researchers, with up to $400,000 in prizes rewarding original findings.

In Conclusion

Morpho Midnight is secure by design.

Securing it started before a single line of code was written, with its design adhering to three core Morpho principles: simplicity, immutability, and noncustodiality.

Each of Midnight's 1100 lines of code had to justify its existence: continuously examined via formal verification, and tested by rounds of independent audits.

Stay up to date with Morpho