More Markets

Introduction

MORE Optimizer v1 is an automated looping strategy for the Morpho protocol.

By recycling idle liquidity between highly-correlated markets (e.g., wETH / wstETH), MORE maximizes supply APY for passive LPs while simultaneously steering market utilization toward an on-chain target. The contract dynamically increases or trims its leverage (loop count) in response to utilization drift, so lenders enjoy boosted yield and borrowers retain competitive borrowing costs.

Why Did They Need an Audit?

The strategy touches flash-loan callbacks, re-entrancy-prone swaps, and on-chain leverage management. A single logic error could let an attacker drain collateral or distort share accounting. MORE enlisted Three Sigma for a rapid yet deep review ahead of main-net deployment.

Scope of the Engagement

Results and Findings

Key Critical Issues

Flash-loan callback callable by anyone

• Description: A rogue account could invoke onMoreFlashLoan() directly and siphon collateral. Caller-validation added (must be the Morpho market).
• Resolution: Added a strict caller check inside onMoreFlashLoan(): transaction now reverts unless msg.sender equals the Morpho market address recorded at deployment (market).

Arbitrary swap path in redeem / withdraw

• Description: Unchecked path allowed re-entrancy tokens to inflate shares and drain funds. Path is now restricted to [wstETH ↔ wETH] only.
• Resolution: Introduced a whitelist that only accepts the canonical 2-hop path wstETH ⇄ wETH. Any attempt to pass a longer or mismatched path now reverts, blocking re-entrancy share-inflation exploits.

Notable High-Severity Issues:

Market interest not accrued before accounting

• Description: Deposits and withdrawals calculated shares using stale totals, under- or over-paying users. Interest accrual now precedes every state-changing action & is mirrored in view helpers.
• Resolution: Inserted markets.accrueInterest() at the start of every state-changing function (deposit, mint, _withdraw, redeem), and added an internal _previewWithAccrued() helper so all view functions include pending interest.

In conclusion

Despite the compressed three-day window, Three Sigma uncovered two critical vectors that could have emptied the strategy, plus a handful of accounting and UX-oriented bugs. After patching caller-checks, swap-path validation, and interest-accrual timing, MORE Optimizer v1 now enforces strict flash-loan integrity, accurate share issuance, and safe withdrawal paths—ready for Morpho main-net deployment.