Ethical hacker identifies $2.6M vulnerability in Morpho App

Update April 28, 2025 4:20 pm UTC: This article has been updated to add clarifications from the Morpho Labs team.
Update May 20, 2025 8:00 am UTC: This article has been updated to add further clarifications from the Morpho Labs team.

A known maximal extractable value (MEV) white hat actor identified a vulnerability that allowed them to access $2.6 million in crypto assets from the Morpho App. 

On April 10, Morpho Labs implemented a front-end update on its Morpho application. A day later, a white hat hacker breached an address through a vulnerability caused by the update.

Blockchain security firm PeckShield initially reported that an address lost $2.6 million due to the vulnerability. The security said that “c0ffeebabe.eth,” a known white hat MEV operator, had “front-run” the transaction, effectively intercepting the stolen funds.

However, the Morpho team later clarified that the white hat was the one who “consumed” the vulnerability and returned the funds.

Morpho Labs reverts front-end update

Responding to the incident, Morpho Labs reversed its front-end update. In a post on X on April 11, the team confirmed it had been alerted to the issue and rolled back the changes. The team also said that normal operations had resumed:

“All funds in the Morpho Protocol are safe and unaffected. The Morpho team will provide a detailed update later today in this thread.”

After further investigation, the team confirmed that its front-end was safe and that users don’t need to perform additional actions to secure their assets. 

The team said the update was pushed to enhance the transaction flow. However, specific transactions on the front-end were incorrectly crafted. The Morpho Labs team said they’ve identified the issue and applied a fix. 

A Morpho Labs spokesperson told Cointelegraph that there was no malicious transaction that was front-run, and that there was never a malicious transaction or exploit. They wrote:

“The whitehat reported that there was a vulnerability in our application (not the protocol) and performed the transaction as a proof for the Morpho bounty process that it was possible.”

The spokesperson clarified that the Morpho Blue protocol remained unaffected and was not involved in the transaction. The team further stated that the white hat utilized the approval to safeguard the funds and subsequently returned the amount.

Related: MEV bot loses $180K in ETH from access control exploit

White hat MEV operator c0ffeebabe.eth

C0ffeebabe.eth is known to have contributed to the recovery of funds during DeFi hacks. In 2023, the white hat MEV operator retrieved around $5.4 million in Ether (ETH) from the Curve Finance exploit in July 2023.  

During the incident, c0ffeebabe.eth used a bot to front-run a malicious hacker to secure 3,000 ETH. The funds were then returned to the Curve deployer address. 

In 2024, the mysterious white hat actor also recovered funds stolen during the Blueberry exploit. In an update, the DeFi protocol said all drained funds had been front-run by c0ffeebabe.eth and returned. 

Magazine: Illegal arcade disguised as … a fake Bitcoin mine? Soldier scams in China: Asia Express