Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Hyperbeat Pay>Low findings>Morpho authorization ignores the ,amount, parameter
GeneralOverview
Findings
Critical (1)
Medium (3)
Low (7)Incorrect selector extraction always returns zeroSpending limit can exceed available settlement balanceBalance calculation in MorphoService does not account for loan market assetsIncorrect debt and health-factor calculations in MorphoServiceManagementAccount returns a stale owner after ownership transferMorpho authorization ignores the amount parameterMissing access control on createAccount enables unlimited proxy-deployment spam
Informational (1)
Indeterminate (2)
DiscussionIncompatible with nonstandard ERC-20 tokensWithdrawal-fee bypass with dust amountsMissing token whitelist validation in ACTION_CUSTOM pathTest suite
DesignComponent: ManagementAccountComponent: ManagementAccountFactoryComponent: ServiceRegistryComponent: TokenWhitelistRegistryComponent: MorphoService
Audit ResultsAssessment Results
Category: Business Logic

Morpho authorization ignores the amount parameter

Low Impact
Low Severity
High Likelihood

Description

As shown below, ManagementAccount::authorizeOperatorBorrowing accepts an amount parameter intended to limit the operator's borrowing capacity:

function authorizeOperatorBorrowing(
    address service,
    IService.AuthorizationType authType,
!   uint256 amount
)
    external
    override
    onlyOwner
    nonReentrant
    returns (bytes[] memory results)
{
    [...]
    IService.Call[] memory calls =
!       IService(service).buildAuthorization(authType, operatorAddress, settlementTokenAddress, amount);
    results = _executeServiceCalls(service, calls);
    [...]
    emit OperatorAuthorizedForBorrowing(operatorAddress, service, authType, amount);
}

However, MorphoService::buildAuthorization ignores this parameter entirely and grants unlimited borrowing delegation:

function buildAuthorization(
    AuthorizationType authType,
    address delegate,
    address asset,
!   uint256 amount
)
    external
    view
    override
    returns (Call[] memory calls)
{
    require(authType == AuthorizationType.MORPHO_AUTHORIZATION, "MorphoService: invalid auth type");

    calls = new Call[](1);
    calls[0] = Call({
        target: address(morpho),
        callData: abi.encodeWithSignature("setAuthorization(address,bool)", delegate, true),
        value: 0
    });
}

Morpho Blue's authorization mechanism is binary (authorized or not) and does not support amount-limited delegation. Once authorized, the operator can borrow any amount up to the position's collateral capacity. A user calling authorizeOperatorBorrowing(service, authType, 1000e6) expecting to limit the operator to borrowing 1,000 USDC will instead grant unlimited borrowing rights.

Impact

This creates a mismatch between user expectations and actual authorization scope. The function signature and emitted event suggest amount-based limits exist, potentially leading users to make trust decisions based on false assumptions about borrowing restrictions. While the operator is a trusted party, users lack visibility into the actual unlimited nature of the authorization.

Recommendations

Either remove the amount parameter from the buildAuthorization interface for Morpho services to eliminate confusion, or implement application-layer controls to track and enforce borrowing limits if amount restrictions are desired.

Remediation

Hyperbeat provided the following response to this finding:

We will need it for other protocols

Zellic © 2025Back to top ↑