Morpho Labs Bundler3 Misconfiguration Drains User Wallet

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Morpho Labs Logo/Homepage

Morpho experienced a front-end incident caused by a misconfigured SDK update during the transition from Bundler2 to Bundler3, which mistakenly directed token approvals to the Bundler3 contract rather than its adapters. This oversight left a bundled transaction vulnerable to front-running, which was exploited by a whitehat MEV bot (c0ffeebabe.eth) that temporarily drained approximately 1,708 ETH (valued at around $2.6 million). Thankfully, the whitehat returned the funds, and no smart contracts were compromised. The Morpho team responded swiftly by rolling back the update within four minutes, patching the SDKs, and launching a full review of their offchain approval flows. They have since committed to a series of security enhancements, including preventing approvals to Bundler3, increasing code review rigor, and subjecting their SDKs to external audits.[1][2][3][4][5][6][7][8][9][10]

About Morpho Labs

Morpho is a decentralized lending platform that offers open infrastructure for onchain loans, enabling users and businesses to connect to a highly trusted lending network. With over $9.5 billion in total deposits and more than $3.3 billion in active loans, Morpho serves as a major hub in the DeFi ecosystem, powering lending and borrowing across a wide range of integrated protocols and platforms like Aave, Compound, and many more.

Users can earn by putting their crypto assets to work or borrow by providing collateral, accessing liquidity for a variety of assets. Beyond individual users, Morpho provides specialized tools for curators and businesses, allowing them to optimize yield, risk, and liquidity or even build customized lending use cases using Morpho’s modular and open infrastructure.

Security is a core principle of the platform, reflected in its minimal architecture, which reduces complexity and enhances trust. Morpho has undergone 25+ audits, runs a $2.5 million bug bounty program, and is formally verifiable, ensuring a high standard of code integrity and resilience.

Morpho is supported by leading names in the crypto and finance space, and offers rich resources, including data analytics and community engagement tools, making it a robust platform for both individual and institutional users.

The Reality

Unfortunately, the Morpho front-end appears to have been able to be compromised, which tricked at least one user into engaging in a wallet draining transaction.

What Happened

A misconfiguration in Morpho’s front-end SDK caused token approvals to be sent to the wrong contract, exposing a user to a $2.6M front-running exploit.

Key Event Timeline - Morpho Labs Bundler3 Misconfiguration Drains User Wallet
Date Event Description
April 10th, 2025 5:48:59 PM MDT Attack Transaction The attack transaction is accepted by the ethereum blockchain.
April 10th, 2025 7:54:00 PM MDT Front-End Fixed Morpho Labs reports "3:54 AM CET" as the time when they became aware of incorrectly crafted transactions on the front-end of their application. They report the Twitter post as happening at "5:23 AM CET".
April 10th, 2025 8:44:00 PM MDT Front-End Fixed Morpho Labs reports "4:44 AM CET" as the time when they fixed the front-end of the site. They report the Twitter post as happening at "5:23 AM CET".
April 10th, 2025 9:23:00 PM MDT Morpho Team Alerted The Morpho team notes that they were alerted "yesterday" to an issue with the front-end of the site. They have reverted some changes. They will be providing a further update in the future.
April 10th, 2025 10:27:00 PM MDT TenArmor Tweet Posted TenArmor posts a tweet update with details on the attack, attributing the total loss to be $2.6m.
April 11th, 2025 7:17:00 AM MDT Amnesia Scleroza Tweet Amnesia Scleroza provided a comprehensive breakdown of a thwarted frontend exploit targeting ~$2.6M in stETH and WETH on Morpho. According to their analysis, while Morpho's core contracts remained untouched, a third-party frontend vendor was compromised, serving fake approval requests to users. A white hat (f=__=f) preemptively intercepted the attack using MEV techniques to secure funds. The analysis highlighted systemic risks, including vendor vulnerabilities, user trust in interfaces, and approval fatigue. Practical defenses and calls for transparency from Morpho were emphasized as key takeaways.
April 17th, 2025 10:53:00 PM MDT Detailed Recap Steps Forward The Morpho Labs team releases "a detailed recap and steps forward" through their Medium page.

Technical Details

The issue came about due to a misconfiguration in the front-end SDK, introduced during an update intended to migrate transaction logic from Bundler2 to Bundler3. Bundler3 introduced a more modular adapter-based architecture to enable more flexible bundled transactions. However, the updated SDK mistakenly directed token approvals to the Bundler3 contract itself instead of the intended adapters. Since Bundler3 was not designed to enforce access controls (unlike its adapters), this opened a window for malicious actors to front-run transactions by monitoring token approvals on the mempool.

Shortly after the update went live, a user's bundled transaction was intercepted by a whitehat MEV bot operated by c0ffeebabe.eth, who front-ran the transaction and temporarily gained control of the user’s funds.

The root cause was the incorrect approval logic in the SDK, which permitted only minimal approvals (for exact transaction amounts) but to the wrong contract (Bundler3). This was enough to expose transactions to MEV attacks.

Total Amount Lost

The attack appears to have sent 1,708.64280716451270409 ETH. Using the closing market price of $1,522.52 from April 10th, 2025, the total loss value comes to $2,601,442.85. The losses have been estimated as $2.6m USD by TenArmor.

The total amount lost has been estimated at $2,601,000 USD.

Immediate Reactions

It's reported that the user was able to identify the issue themselves, with the assistance from the Fuzzland and Trail of Bits teams, and alerted the Morpho Labs team.

Fortunately, the whitehat returned the funds and cooperated with the Morpho team. The issue was quickly identified by the affected user in collaboration with security firms Fuzzland and Trail of Bits. They alerted Morpho via SEAL911 and Spearbit, prompting the team to roll back the front-end update within four minutes, neutralizing the risk. No additional user actions were required, and no smart contracts were compromised.

Ultimate Outcome

Morpho patched the SDKs, launched a full review of approval logic across their codebase, and committed to enhancing offchain security reviews, preventing approval to Bundler3, and submitting SDKs to external audits. The team acknowledged this as a serious lapse in their “security-first” philosophy and outlined a robust roadmap to reinforce their defenses moving forward.

Total Amount Recovered

The attack transaction appears to have been conducted by a front-runner nicknamed "coffeebabe". It is reported that they returned the funds following the attack.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

As of their last update on this issue, the Morpho team was focused on strengthening their offchain security processes, particularly around code involved in transaction flows. This includes increasing the number of code reviewers, avoiding the use of pre-released code in production, implementing more extensive testing for token transfers, and modifying the SDK to prevent any token approvals to Bundler3. They also released plans to monitor all approvals made to the bundler for any misuse, conduct an external audit of the SDKs, and expand their smart contract security framework to encompass the offchain stack—ensuring a comprehensive and resilient security posture across the entire ecosystem.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. TenArmor - "A regular Morpho user just lost $2.6 million due to an inappropriate approval to the Multicall contract. The victim attempted to provide PT-sUSDE-29MAY2025 as collateral and then borrow USDC from Morpho using Multicall. However, a well-known frontrunner, #coffeebabe, managed to front-run the transaction and exploit the Permit2 approval." - Twitter/X (Accessed Aug 8, 2025)
  2. Attack Transaction - Etherscan (Accessed Aug 8, 2025)
  3. Ethereum Price History and Historical Data (Accessed Dec 21, 2021)
  4. Amnesia Scleroza - "NEAR MISS Analysis: ~$2.6M in assets (mostly stETH & WETH) was targeted in a sophisticated frontend exploit aimed at @MorphoLabs users yesterday" - Twitter/X (Accessed Aug 8, 2025)
  5. Morpho Labs - "For a detailed recap and steps forward" - Twitter/X (Accessed Aug 8, 2025)
  6. Morpho App Incident: April 10, 2025 - Morpho Labs Blog (Accessed Aug 8, 2025)
  7. Morpho Labs Homepage (Accessed Aug 8, 2025)
  8. Morpho Earn App (Accessed Aug 8, 2025)
  9. Morpho Brand Guidelines (Accessed Aug 8, 2025)
  10. @MorphoLabs Twitter (Accessed Aug 8, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Morpho_Labs_Bundler3_Misconfiguration_Drains_User_Wallet&oldid=6887"