Stale-approval exposure on deprecated router

Morpho V1 (Morpho Blue + MetaMorpho)'s assessment for RD-F-168 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

April 2025 frontend incident involved user approvals sent to Bundler3 instead of correct adapter. Funds returned by white hat. Stale approvals to deprecated Bundler3 router may remain active. Morpho Optimizer legacy contracts may also have stale approvals. Exact count and value not quantified.

Sources #

URL
https://morpho.org/blog/morpho-app-incident-april-10-2025/retrieved 2026-04-27

Methodology #

Count the number of active user approvals (ERC-20 `allowance`) to deprecated router or protocol contracts.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol morpho-v1 factor RD-F-168 score yellow collected_at 2026-04-30 21:19:13