Tokenized gold market on Morpho loses $230K after Oracle misconfiguration mishap

The Paxos tokenized gold (PAXG) market on DeFi protocol Morpho Protocol suffered an exploit today, leading to a $230,000 loss. According to Chaos Labs founder Omer Goldberg, the incident was caused by a mistake during the setup of the Oracle pricing for $2.6 trillion.

In a post-mortem of the incident shared on X, Omer explained that an Oracle misconfiguration is likely because the PAXG/USDC market deployer did not fully understand the platform’s decimal system. Morpho Protocol allows users to create decentralized lending markets and set the parameters.

Omer explained:

“The Oracle SCALE_FACTOR was misconfigured, failing to account for the differences between decimals in USDC (6 decimals) and PAXG (18 decimals). This led to a 12-decimal inflation in price, overpricing gold by a factor of 10^12.”

The exploiter noticed the error on time, so they immediately sent $350 worth of PAXG to the market, using it to withdraw $230,000 in USDC.

While the incident appears to have been caused by an error on the part of the deployer, Omer observed that the protocol did not flag the issue, and the Morpho Protocol user interface showed the correct gold price.

In his opinion, this is likely because security monitoring focused on the reference prices instead of the Oracle price.

Morpho Protocol says the platform remains safe

Meanwhile, Omer noted that the incident highlights some of the risks of using decentralized platforms like the Morpho protocol, as there is a need for precision when setting up such lending markets, especially for parameters guiding oracles and risks.

He also called for real-time monitoring, saying:

“Real-time risk monitoring, in this case, a deviation between the Morpho market price and an external reference price, is essential to prevent incidents like this.”

However, the protocol developer Morpho Labs has responded by noting that the incident was not due to any security issue on its platform. Rather, it was because the risk curator made mistakes.

The team said:

“We believe it is important to differentiate between underlying smart contract vulnerabilities and mistakes at the risk curation layer – much like how misconfigured pairs on Uniswap are not considered exploits of the protocol itself.”

It further described the incident as an isolated issue that had no impact on the protocol, noting that even the risk curator has recovered some of the funds and is working to repay the lenders. The developer added that it will provide more tools to help curators limit such errors in the future.

Despite the clarifications, some users still believe that the Oracle provider used is responsible and have called Morpho Labs to rely exclusively on Chainlink for all its price feeds. However, the team said that its protocol is oracles agnostic, with each risk curator free to choose the oracles and private feed they want.

Meanwhile, Kamino Finance co-founder Marius noted that the risk curator in this case was not a full-time risk curator, which is likely what led to the mistake. He also confirmed that most of the funds have been recovered, and the issue is controlled.

Crypto investor says the incident is not an exploit

While discussions about the incident have focused on its impact, Felipe Montealegre, the co-founder of crypto investment firm Theia Capital, believes it is not a significant issue. According to him, losses by capital providers are an inherent part of the lending system, with even traditional financial institutions losing money on lending.

He said:

“Even Moody’s B rated corporate debt has a three-year default rate of 17%. You can’t have an interesting lending platform where capital providers aren’t occasionally losing money.”

However, he admitted that while risk curators can take risks and lose funds, the underlying DeFi protocols work correctly and as advertised. He noted that this is exactly what happened to Morpho Protocol, as the issue was caused by an error from the fund manager and had nothing to do with the protocol. Thus, he noted that this was not a DeFi exploit in the true sense of the word.

Source