Morpho
About
Morpho is a decentralized, non-custodial lending protocol on the Ethereum Virtual Machine that enables permissionless creation of isolated overcollateralized lending markets. It serves lenders (suppliers), borrowers, vault curators seeking to build curated lending strategies, and enterprises looking to embed white-label earn or crypto-backed loan products into their own platforms.
Where Does Yield Come From?
On Morpho, lenders earn yield from the interest that borrowers pay. This happens inside isolated lending markets (called Morpho Blue). Each market pairs one specific collateral asset with one specific loan asset, and is fixed by five settings: which asset serves as collateral, which asset is borrowed, the liquidation loan-to-value (how much can be borrowed before forced repayment), the price oracle (data feed for asset prices), and the interest rate model.
How interest rates work
The only interest rate model approved by governance is the AdaptiveCurveIRM. It aims to keep 90% of available funds lent out (the "utilization" target). It uses two tools:
- A curve mechanism: As utilization nears 100% (almost all supplied funds are borrowed), rates rise sharply. If utilization hits 100%, the rate instantly jumps 4×. As utilization falls, rates drop.
- An adaptive mechanism: The entire curve shifts over time. At 100% utilization, the target rate doubles after about 5 days. At 45% utilization, it halves after about 10 days.
Interest compounds every second using a Taylor-compounded exponential formula based on the per-second borrow rate.
What lenders actually earn
The supply APY (annual percentage yield for lenders) is calculated as: borrow APY × utilization × (1 − fee). The protocol-level fee per market is currently set to 0% (governance can raise it up to 25% max).
A key point: your supplied collateral is never re-used or re-lent to others (no rehypothecation). This removes the systemic risk that can arise when the same collateral backs multiple loans across different platforms.
Aggregating yield through Vaults
Beyond basic markets, Morpho Vault V2 lets curators build strategies that pull yield from multiple sources using an Adapter system. This includes Morpho markets and, in future, external protocols. The vault reports real-time assets through a function called realAssets().
Vault curators can charge two types of fees (both protected by a timelock, meaning changes can't happen instantly):
- A performance fee — up to 50% on the yield generated.
- A management fee — up to 5% on total assets under management.
Extra rewards (beyond interest)
Additional tokens can be distributed on top of regular interest. These may include MORPHO tokens or other issued tokens, and can come from governance, from market creators trying to attract liquidity, from vault curators, or from token issuers. This is handled through the Merkl distribution system, and can incentivize supplying assets, borrowing, or supplying collateral.
What liquidators earn
When a borrower's position becomes unhealthy (collateral value drops too low), liquidators can step in. Their incentive is calculated as: min(maxLiquidationIncentiveFactor, 1 / (1 − cursor × (1 − LLTV))). They are paid from the borrower's collateral.
Persons
Paul Frambot
CEO
LinkedIn
Audits
| Audit / Date | Findings | Verdict |
|---|---|---|
Certora09-12-2025 - 15-12-2025 |
| The Certora audit found no critical, high, or medium severity vulnerabilities in the Morpho Vault V2 adapter changes, with all two low-severity and four informational findings acknowledged by the team as intentional design trade-offs or documented limitations rather than exploitable security flaws. |
Certora09-12-2025 - 15-12-2025 |
| The audit found no critical, high, or medium severity vulnerabilities; the two low-severity issues are acknowledged design limitations rather than exploitable bugs, indicating that the incremental changes to Morpho Vault v2 are sound with only minor operational risks. |
Spearbit29-10-2024 |
| The Spearbit audit found no critical, high, medium, or low severity vulnerabilities; only one gas optimization (fixed) and three informational items (acknowledged) were reported, indicating the pre-liquidation codebase was in a mature state at the time of review. |
Cantina (Spearbit)07-02-2025 - 08-02-2025 |
| The review found no security issues in the metamorpho-v1.1 diff changes, confirming the reallocation logic safely enforces enabled-market checks. The protocol benefits from this clean bill of health for the specific PR 67 changes, though the recommendations on no-op edge cases and donation handling are worth addressing for robustness. |
Cantina Managed19-02-2024 - 23-02-2024 |
| The audit found no critical or high-severity vulnerabilities, with the one medium-severity issue acknowledged by Morpho as a griefing vector mitigated by fees. All remaining findings were either addressed in follow-up pull requests or acknowledged, indicating that the public-allocator contract was in a reasonable security posture at the time of review. |
Cantina16-11-2023 - 07-12-2023 |
| The competition found only one High Risk issue (already fixed) and eight Medium Risk items, several acknowledged as user-side mitigations or low-likelihood scenarios; the protocol's open-market model places significant trust assumptions on users selecting safe oracle, LLTV, and liquidity configurations. |
Cantina16-11-2023 - 07-12-2023 |
| The competition found no critical or high-severity vulnerabilities, and the 13 medium-risk findings — spanning migration bundler edge cases, rounding errors, and an APR/APY parameter mismatch — were identified for remediation, posing manageable risk to the protocol. |
| The audit identified only Minor and Informational issues, with the sole behavioural concern (unrestricted burning) fully remediated by removing the function, leaving the codebase with no unresolved security findings. | |
Lexfo03-05-2023 - 10-05-2023 |
| This penetration test of Morpho's external assets found no critical or high-severity vulnerabilities, with only 2 medium and 6 low-severity AWS/infrastructure hardening issues; the protocol's external perimeter is well-secured through CloudFront, WAF, and minimal attack surface design. |
SecuRing28-03-2022 - 01-04-2022 |
| This frontend penetration test identified no critical or high-severity vulnerabilities and only one low-risk finding (exposed API key), indicating a reasonable security posture for the tested MorphoDAO FrontEnd scope. The four informational recommendations address good-practice hardening measures that do not pose immediate risk. |
Backers
Morpho is backed by a broad set of institutional investors showcased in the "Backed by leaders reshaping finance" section on the morpho.org homepage, featuring logos of numerous funds and strategic backers (with "40+ more" listed beyond those shown). Key known backers include Apollo Global Management, which entered a cooperation agreement with the Morpho Association on February 14, 2026 — under the agreement Apollo or its affiliates may acquire up to 90 million MORPHO tokens over a 48-month period via open-market purchases, OTC transactions, and other arrangements, subject to transfer and trading restrictions. Galaxy Digital UK Limited served as exclusive financial adviser to Morpho on the Apollo deal. Specific funding rounds, amounts, and dates for venture financing were not detailed on the official morpho.org site or blog at the time of review.
Legal
Legal form
French association (Association loi 1901)
Registration jurisdiction
France — registered at the Répertoire national des associations under number W751263773, with registered office at 24 rue de Clichy 75009 Paris. SIREN 911 156 933, EU VAT FR 44911156933.
Status and notes
The operating entity is the Morpho Association, a French non-profit association (Association loi 1901). Its Terms of Use (version dated November 3, 2025) govern the Sites, Services, Apps, and Protocols; the TOU are governed by French law with exclusive jurisdiction of the Judicial Courts of Paris for EU consumers and ICC arbitration in Paris for professionals/non-EU consumers. The Privacy Policy (last revised September 19, 2025) and Legal Notice are published and accessible. The Association explicitly disclaims being a financial, credit, or investment institution and states it is not subject to MiCA or other financial regulatory supervision. The website is hosted by Amazon Web Services EMEA SARL (Luxembourg). The Disclaimers page (last updated March 17, 2026) covers all Morpho protocol interfaces not owned by the Association.