$2.6M Vulnerability Flagged by White Hat in Morpho App Update

The issue surfaced after Morpho Labs launched a front-end update to the app on April 10.

A known ethical maximal extractable value (MEV) actor, known as c0ffeebabe.eth, identified the flaw introduced by the update and accessed the affected funds.

Did you know?

Want to get smarter & wealthier with crypto?

Subscribe - We publish new crypto explainer videos every week!

How to Track Cryptocurrencies? (3 BEST Tracking Platforms Revealed)

SUBSCRIBE

ON YOUTUBE

After the incident, Morpho Labs rolled back the update. In an April 11 post on X, the team confirmed it had been informed about the issue and took steps to fix it. They said all user funds within the main Morpho Protocol were safe and unaffected.

The update that caused the issue was meant to improve how transactions are handled. However, the change ended up generating some transactions incorrectly, which opened the door for the vulnerability. Morpho Labs said that it has found the problem and fixed it.

A report shared by PeckShield initially stated that $2.6 million had been “stolen” and claimed that c0ffeebabe.eth had front-run a malicious transaction - essentially intercepting the funds before they reached an attacker.

However, Morpho Labs later clarified that no malicious transaction was involved. The white hat discovered the flaw, used it to safeguard the assets, and later returned the full amount, acting within the bounds of Morpho’s bug bounty process.

Meanwhile, cybersecurity firm Kaspersky recently reported that hackers are distributing fake Microsoft Office add-ins on SourceForge. What did they do? Read the full story.