Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Lido Staked Ether 
Dogecoin 
TRON 
Cardano 
Wrapped stETH 
Chainlink 
Wrapped Beacon ETH 
Wrapped Bitcoin 
Ethena USDe 
Hyperliquid 
Wrapped eETH 
Sui 
Stellar 
Bitcoin Cash 
Cronos 
Avalanche 
Hedera 
WETH 
LEO Token 
Litecoin 
Toncoin 
USDS 
Shiba Inu 
Binance Bridged USDT (BNB Smart Chain) 
Coinbase Wrapped BTC 
WhiteBIT Coin 
Uniswap 
Polkadot 
Ethena Staked USDe 
Bitget Token 
Aave 
Monero 
Dai 
Ethena 
Pepe 
Mantle 
OKB 
Ethereum Classic 
Bittensor 
Pi Network 
NEAR Protocol 
Jito Staked SOL 
Aptos 
Ondo 
USDT0 
Arbitrum 
Binance-Peg WETH 
POL (ex-MATIC) 
Internet Computer 
USD1 
BlackRock USD Institutional Digital Liquidity Fund 
Binance Staked SOL 
Kaspa 
Story 
VeChain 
Cosmos Hub 
Algorand 
Gate 
Rocket Pool ETH 
sUSDS 
Fasttoken 
Jupiter Perpetuals Liquidity Provider Token 
Pudgy Penguins 
Kelp DAO Restaked ETH 
Render 
Worldcoin 
KuCoin 
Sei 
Bonk 
BFUSD 
Official Trump 
StakeWise Staked ETH 
Artificial Superintelligence Alliance 
Kinetiq Staked HYPE 
Liquid Staked ETH 
Filecoin 
Jupiter 
Flare 
Quant 
Lombard Staked BTC 
Sky 
USDtb 
Four 
XDC Network 
Polygon Bridged USDT (Polygon) 
Renzo Restaked ETH 
Falcon USD 
Mantle Staked Ether 
Provenance Blockchain 
Tether Gold 
Injective 
Celestia 
Optimism 
NEXO 
Pump.fun 
Wrapped BNB 
PayPal USD 
Jupiter Staked SOL 
First Digital USD 
Pyth Network 
Solv Protocol BTC 
Stacks 
Curve DAO 
Lido DAO 
Conflux 
SPX6900 
Binance Bridged USDC (BNB Smart Chain) 
MemeCore 
Sonic 
Aerodrome Finance 
Immutable 
Super OETH 
PAX Gold 
SyrupUSDC 
The Graph 
Raydium 
Marinade Staked SOL 
Saros 
FLOKI 
Arbitrum Bridged WBTC (Arbitrum One) 
ether.fi Staked ETH 
Kaia 
PancakeSwap 
cgETH Hashkey Cloud 
clBTC 
L2 Standard Bridged WETH (Base) 
dogwifhat 
Pendle 
Fartcoin 
Vaulta 
Theta Network 
Tezos 
Ethereum Name Service 
IOTA 
Virtuals Protocol 
GALA 
OUSG 
Loaded Lions 
Jito 
JasmyCoin 
Ripple USD 
BUILDon 
AB 
Ondo US Dollar Yield 
Stables Labs USDX 
The Sandbox 
Stader ETHx 
Morpho 
Mantle Restaked ETH 
Arbitrum Bridged WETH (Arbitrum One) 
Zcash 
BitTorrent 
tBTC 
Flow 
Coinbase Wrapped Staked ETH 
Usual USD 
Swell Ethereum 
Beldex 
Binance-Peg Dogecoin 
Global Dollar 
Walrus 
Decentraland 
Avalanche Bridged BTC (Avalanche) 
Vision 
Bitcoin SV 
Maple Finance 
Ether.fi 
Frax Ether 
TrueUSD 
Starknet 
NEO 
dYdX 
Brett 
Polygon PoS Bridged WETH (Polygon POS) 
Helium 
Solv Protocol Staked BTC 
ApeCoin 
APENFT 
USDD 
Reserve Rights 
Mantle Bridged USDT (Mantle) 
ZKsync 
Bybit Staked SOL 
Polygon PoS Bridged DAI (Polygon POS) 
Sun Token 
Core 
Savings Dai 
Telcoin 
DeXe 
THORChain 
Arweave 
Bridged USDC (Polygon PoS Bridge) 
Fluid 
The Paxos tokenized gold (PAXG) market on DeFi protocol Morpho Protocol suffered an exploit today, leading to a $230,000 loss. According to Chaos Labs founder Omer Goldberg, the incident was caused by a mistake during the setup of the Oracle pricing for $2.6 trillion.
In a post-mortem of the incident shared on X, Omer explained that an Oracle misconfiguration is likely because the PAXG/USDC market deployer did not fully understand the platform’s decimal system. Morpho Protocol allows users to create decentralized lending markets and set the parameters.
Omer explained:
“The Oracle SCALE_FACTOR was misconfigured, failing to account for the differences between decimals in USDC (6 decimals) and PAXG (18 decimals). This led to a 12-decimal inflation in price, overpricing gold by a factor of 10^12.”
The exploiter noticed the error on time, so they immediately sent $350 worth of PAXG to the market, using it to withdraw $230,000 in USDC.
While the incident appears to have been caused by an error on the part of the deployer, Omer observed that the protocol did not flag the issue, and the Morpho Protocol user interface showed the correct gold price.
In his opinion, this is likely because security monitoring focused on the reference prices instead of the Oracle price.
Morpho Protocol says the platform remains safe
Meanwhile, Omer noted that the incident highlights some of the risks of using decentralized platforms like the Morpho protocol, as there is a need for precision when setting up such lending markets, especially for parameters guiding oracles and risks.
He also called for real-time monitoring, saying:
“Real-time risk monitoring, in this case, a deviation between the Morpho market price and an external reference price, is essential to prevent incidents like this.”
However, the protocol developer Morpho Labs has responded by noting that the incident was not due to any security issue on its platform. Rather, it was because the risk curator made mistakes.
The team said:
“We believe it is important to differentiate between underlying smart contract vulnerabilities and mistakes at the risk curation layer – much like how misconfigured pairs on Uniswap are not considered exploits of the protocol itself.”
It further described the incident as an isolated issue that had no impact on the protocol, noting that even the risk curator has recovered some of the funds and is working to repay the lenders. The developer added that it will provide more tools to help curators limit such errors in the future.
Despite the clarifications, some users still believe that the Oracle provider used is responsible and have called Morpho Labs to rely exclusively on Chainlink for all its price feeds. However, the team said that its protocol is oracles agnostic, with each risk curator free to choose the oracles and private feed they want.
Meanwhile, Kamino Finance co-founder Marius noted that the risk curator in this case was not a full-time risk curator, which is likely what led to the mistake. He also confirmed that most of the funds have been recovered, and the issue is controlled.
Crypto investor says the incident is not an exploit
While discussions about the incident have focused on its impact, Felipe Montealegre, the co-founder of crypto investment firm Theia Capital, believes it is not a significant issue. According to him, losses by capital providers are an inherent part of the lending system, with even traditional financial institutions losing money on lending.
He said:
“Even Moody’s B rated corporate debt has a three-year default rate of 17%. You can’t have an interesting lending platform where capital providers aren’t occasionally losing money.”
However, he admitted that while risk curators can take risks and lose funds, the underlying DeFi protocols work correctly and as advertised. He noted that this is exactly what happened to Morpho Protocol, as the issue was caused by an error from the fund manager and had nothing to do with the protocol. Thus, he noted that this was not a DeFi exploit in the true sense of the word.
