QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$2 601 000 USD
APRIL 2025
GLOBAL
MORPHO LABS
DESCRIPTION OF EVENTS
Morpho is a decentralized lending platform that offers open infrastructure for onchain loans, enabling users and businesses to connect to a highly trusted lending network. With over $9.5 billion in total deposits and more than $3.3 billion in active loans, Morpho serves as a major hub in the DeFi ecosystem, powering lending and borrowing across a wide range of integrated protocols and platforms like Aave, Compound, and many more.
Users can earn by putting their crypto assets to work or borrow by providing collateral, accessing liquidity for a variety of assets. Beyond individual users, Morpho provides specialized tools for curators and businesses, allowing them to optimize yield, risk, and liquidity or even build customized lending use cases using Morpho’s modular and open infrastructure.
Security is a core principle of the platform, reflected in its minimal architecture, which reduces complexity and enhances trust. Morpho has undergone 25+ audits, runs a $2.5 million bug bounty program, and is formally verifiable, ensuring a high standard of code integrity and resilience.
Morpho is supported by leading names in the crypto and finance space, and offers rich resources, including data analytics and community engagement tools, making it a robust platform for both individual and institutional users.
Unfortunately, the Morpho front-end appears to have been able to be compromised, which tricked at least one user into engaging in a wallet draining transaction.
The issue came about due to a misconfiguration in the front-end SDK, introduced during an update intended to migrate transaction logic from Bundler2 to Bundler3. Bundler3 introduced a more modular adapter-based architecture to enable more flexible bundled transactions. However, the updated SDK mistakenly directed token approvals to the Bundler3 contract itself instead of the intended adapters. Since Bundler3 was not designed to enforce access controls (unlike its adapters), this opened a window for malicious actors to front-run transactions by monitoring token approvals on the mempool.
Shortly after the update went live, a user's bundled transaction was intercepted by a whitehat MEV bot operated by c0ffeebabe.eth, who front-ran the transaction and temporarily gained control of the user’s funds.
The root cause was the incorrect approval logic in the SDK, which permitted only minimal approvals (for exact transaction amounts) but to the wrong contract (Bundler3). This was enough to expose transactions to MEV attacks.
The attack appears to have sent 1,708.64280716451270409 ETH. Using the closing market price of $1,522.52 from April 10th, 2025, the total loss value comes to $2,601,442.85. The losses have been estimated as $2.6m USD by TenArmor.
It's reported that the user was able to identify the issue themselves, with the assistance from the Fuzzland and Trail of Bits teams, and alerted the Morpho Labs team.
Fortunately, the whitehat returned the funds and cooperated with the Morpho team. The issue was quickly identified by the affected user in collaboration with security firms Fuzzland and Trail of Bits. They alerted Morpho via SEAL911 and Spearbit, prompting the team to roll back the front-end update within four minutes, neutralizing the risk. No additional user actions were required, and no smart contracts were compromised.
Morpho patched the SDKs, launched a full review of approval logic across their codebase, and committed to enhancing offchain security reviews, preventing approval to Bundler3, and submitting SDKs to external audits. The team acknowledged this as a serious lapse in their “security-first” philosophy and outlined a robust roadmap to reinforce their defenses moving forward.
The attack transaction appears to have been conducted by a front-runner nicknamed "coffeebabe". It is reported that they returned the funds following the attack.
As of their last update on this issue, the Morpho team was focused on strengthening their offchain security processes, particularly around code involved in transaction flows. This includes increasing the number of code reviewers, avoiding the use of pre-released code in production, implementing more extensive testing for token transfers, and modifying the SDK to prevent any token approvals to Bundler3. They also released plans to monitor all approvals made to the bundler for any misuse, conduct an external audit of the SDKs, and expand their smart contract security framework to encompass the offchain stack—ensuring a comprehensive and resilient security posture across the entire ecosystem.
Morpho experienced a front-end incident caused by a misconfigured SDK update during the transition from Bundler2 to Bundler3, which mistakenly directed token approvals to the Bundler3 contract rather than its adapters. This oversight left a bundled transaction vulnerable to front-running, which was exploited by a whitehat MEV bot (c0ffeebabe.eth) that temporarily drained approximately 1,708 ETH (valued at around $2.6 million). Thankfully, the whitehat returned the funds, and no smart contracts were compromised. The Morpho team responded swiftly by rolling back the update within four minutes, patching the SDKs, and launching a full review of their offchain approval flows. They have since committed to a series of security enhancements, including preventing approvals to Bundler3, increasing code review rigor, and subjecting their SDKs to external audits.
TenArmor - "A regular Morpho user just lost $2.6 million due to an inappropriate approval to the Multicall contract. The victim attempted to provide PT-sUSDE-29MAY2025 as collateral and then borrow USDC from Morpho using Multicall. However, a well-known frontrunner, #coffeebabe, managed to front-run the transaction and exploit the Permit2 approval." - Twitter/X (Aug 8)
Attack Transaction - Etherscan (Aug 8)
Ethereum Price History and Historical Data (Dec 21)
Amnesia Scleroza - "NEAR MISS Analysis: ~$2.6M in assets (mostly stETH & WETH) was targeted in a sophisticated frontend exploit aimed at @MorphoLabs users yesterday" - Twitter/X (Aug 8)
Morpho Labs - "For a detailed recap and steps forward" - Twitter/X (Aug 8)
Morpho App Incident: April 10, 2025 - Morpho Labs Blog (Aug 8)
Morpho Labs Homepage (Aug 8)
Morpho Earn App (Aug 8)
Morpho Brand Guidelines (Aug 8)
@MorphoLabs Twitter (Aug 8)
