★ Oracle source = spot DEX pool (no TWAP)

Morpho V1 (Morpho Blue + MetaMorpho)'s assessment for RD-F-053 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

[★ CRITICAL] Reference ChainlinkOracleV2 uses Chainlink push-oracle feeds (latestRoundData), not spot DEX pools. High-TVL markets (wstETH/USDC, WBTC/USDC) use Chainlink multi-hop. PAXG/USDC exploit was decimal misconfiguration of Chainlink adapter, not spot DEX. No verified spot DEX oracle in reference implementation or high-TVL markets.

Detail #

Source inspection of MorphoChainlinkOracleV2.sol confirms: uses ChainlinkDataFeedLib.getPrice() which calls latestRoundData() on AggregatorV3Interface feeds. No UniswapV3 observe() / consult() TWAP calls identified. Data cache oracle_feeds[] contains only Chainlink feeds. Individual market creators CAN configure spot DEX oracles (F181 captures this systemic risk), but the factor fires only if confirmed in deployed high-TVL markets.

Sources #

GitHub
MorphoChainlinkOracleV2.solMorphoChainlinkOracleV2.sol — uses ChainlinkDataFeedLib, not DEX spotretrieved 2026-04-27
URL
Establishing Morpho Blue's Oracle Network with Chainlink Price FeedsMorpho Chainlink oracle blogretrieved 2026-04-27

Methodology #

Determine whether the primary oracle for any asset/market reads spot price from a single DEX pool without a TWAP window or secondary source.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol morpho-v1 factor RD-F-053 score green collected_at 2026-04-30 21:19:13