Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
TRON 
Lido Staked Ether 
Dogecoin 
Figure Heloc 
Cardano 
Wrapped stETH 
Bitcoin Cash 
Monero 
WhiteBIT Coin 
Wrapped Beacon ETH 
Wrapped Bitcoin 
Wrapped eETH 
USDS 
Chainlink 
Binance Bridged USDT (BNB Smart Chain) 
LEO Token 
WETH 
Stellar 
Coinbase Wrapped BTC 
Sui 
Zcash 
Ethena USDe 
Avalanche 
Litecoin 
Hyperliquid 
Canton 
Shiba Inu 
Hedera 
World Liberty Financial 
USDT0 
sUSDS 
Dai 
Toncoin 
Cronos 
Ethena Staked USDe 
PayPal USD 
Polkadot 
Uniswap 
USD1 
Mantle 
Rain 
MemeCore 
Bittensor 
Aave 
Bitget Token 
Pepe 
Tether Gold 
OKB 
NEAR Protocol 
Falcon USD 
Jito Staked SOL 
Ethereum Classic 
Binance-Peg WETH 
PAX Gold 
Ethena 
Internet Computer 
BlackRock USD Institutional Digital Liquidity Fund 
Pi Network 
Aster 
POL (ex-MATIC) 
Jupiter Perpetuals Liquidity Provider Token 
HTX DAO 
Binance Staked SOL 
Worldcoin 
Circle USYC 
Global Dollar 
KuCoin 
Pump.fun 
syrupUSDC 
Ripple USD 
Aptos 
Wrapped BNB 
Sky 
BFUSD 
Provenance Blockchain 
Rocket Pool ETH 
Binance Bridged USDC (BNB Smart Chain) 
Kaspa 
Ondo 
Cosmos Hub 
Render 
Gate 
Arbitrum 
Algorand 
Kelp DAO Restaked ETH 
MYX Finance 
Midnight 
Filecoin 
Official Trump 
Story 
Bridged Wrapped Lido Staked Ether (Scroll) 
Lombard Staked BTC 
Function FBTC 
VeChain 
Solv Protocol BTC 
NEXO 
Flare 
Bonk 
USDD 
XDC Network 
Janus Henderson Anemoy AAA CLO Fund 
Mantle Staked Ether 
Liquid Staked ETH 
USDtb 
OUSG 
Superstate Short Duration U.S. Government Securities Fund (USTB) 
Sei 
WrappedM by M^0 
Pudgy Penguins 
Polygon Bridged USDC (Polygon PoS) 
Arbitrum Bridged WBTC (Arbitrum One) 
Stacks 
Morpho 
clBTC 
Renzo Restaked ETH 
Beldex 
Jupiter Staked SOL 
Ondo US Dollar Yield 
Jupiter 
USDai 
Artificial Superintelligence Alliance 
syrupUSDT 
Wrapped Flare 
PancakeSwap 
StakeWise Staked ETH 
L2 Standard Bridged WETH (Base) 
Virtuals Protocol 
Polygon PoS Bridged DAI (Polygon POS) 
Optimism 
Tezos 
c8ntinuum 
Spiko EU T-Bills Money Market Fund 
Curve DAO 
Dash 
Arbitrum Bridged WETH (Arbitrum One) 
SPX6900 
Kinetiq Staked HYPE 
Chiliz 
tBTC 
Usual USD 
Lighter 
Lido DAO 
Injective 
Aerodrome Finance 
GTETH 
FLOKI 
GHO 
First Digital USD 
TrueUSD 
Ether.fi 
Marinade Staked SOL 
Celestia 
Fasttoken 
Ether.Fi Liquid ETH 
Maple Finance 
Steakhouse USDC Morpho Vault 
Stader ETHx 
The Graph 
Coinbase Wrapped Staked ETH 
AB 
JasmyCoin 
River 
Wrapped ApeCoin 
Starknet 
Staked Aave 
USDB 
BitTorrent 
DoubleZero 
sBTC 
IOTA 
JUST 
Sun Token 
Ethereum Name Service 
Conflux 
Wrapped STX (Velar) 
Bitcoin SV 
Fartcoin 
Pyth Network 
Gnosis 
dogwifhat 
Onyxcoin 
Trust Wallet 
Pendle 
AINFT 
Kaia 
crvUSD 
Cap USD 
Avalanche Bridged BTC (Avalanche) 
EURC 
Binance-Peg Dogecoin 
Telcoin 
Olympus 
Kinesis Gold 
The Paxos tokenized gold (PAXG) market on DeFi protocol Morpho Protocol suffered an exploit today, leading to a $230,000 loss. According to Chaos Labs founder Omer Goldberg, the incident was caused by a mistake during the setup of the Oracle pricing for $2.6 trillion.
In a post-mortem of the incident shared on X, Omer explained that an Oracle misconfiguration is likely because the PAXG/USDC market deployer did not fully understand the platform’s decimal system. Morpho Protocol allows users to create decentralized lending markets and set the parameters.
Omer explained:
“The Oracle SCALE_FACTOR was misconfigured, failing to account for the differences between decimals in USDC (6 decimals) and PAXG (18 decimals). This led to a 12-decimal inflation in price, overpricing gold by a factor of 10^12.”
The exploiter noticed the error on time, so they immediately sent $350 worth of PAXG to the market, using it to withdraw $230,000 in USDC.
While the incident appears to have been caused by an error on the part of the deployer, Omer observed that the protocol did not flag the issue, and the Morpho Protocol user interface showed the correct gold price.
In his opinion, this is likely because security monitoring focused on the reference prices instead of the Oracle price.
Morpho Protocol says the platform remains safe
Meanwhile, Omer noted that the incident highlights some of the risks of using decentralized platforms like the Morpho protocol, as there is a need for precision when setting up such lending markets, especially for parameters guiding oracles and risks.
He also called for real-time monitoring, saying:
“Real-time risk monitoring, in this case, a deviation between the Morpho market price and an external reference price, is essential to prevent incidents like this.”
However, the protocol developer Morpho Labs has responded by noting that the incident was not due to any security issue on its platform. Rather, it was because the risk curator made mistakes.
The team said:
“We believe it is important to differentiate between underlying smart contract vulnerabilities and mistakes at the risk curation layer – much like how misconfigured pairs on Uniswap are not considered exploits of the protocol itself.”
It further described the incident as an isolated issue that had no impact on the protocol, noting that even the risk curator has recovered some of the funds and is working to repay the lenders. The developer added that it will provide more tools to help curators limit such errors in the future.
Despite the clarifications, some users still believe that the Oracle provider used is responsible and have called Morpho Labs to rely exclusively on Chainlink for all its price feeds. However, the team said that its protocol is oracles agnostic, with each risk curator free to choose the oracles and private feed they want.
Meanwhile, Kamino Finance co-founder Marius noted that the risk curator in this case was not a full-time risk curator, which is likely what led to the mistake. He also confirmed that most of the funds have been recovered, and the issue is controlled.
Crypto investor says the incident is not an exploit
While discussions about the incident have focused on its impact, Felipe Montealegre, the co-founder of crypto investment firm Theia Capital, believes it is not a significant issue. According to him, losses by capital providers are an inherent part of the lending system, with even traditional financial institutions losing money on lending.
He said:
“Even Moody’s B rated corporate debt has a three-year default rate of 17%. You can’t have an interesting lending platform where capital providers aren’t occasionally losing money.”
However, he admitted that while risk curators can take risks and lose funds, the underlying DeFi protocols work correctly and as advertised. He noted that this is exactly what happened to Morpho Protocol, as the issue was caused by an error from the fund manager and had nothing to do with the protocol. Thus, he noted that this was not a DeFi exploit in the true sense of the word.
