Adversarial Due Diligence Report: Morpho Protocol (MORPHO)

Investigation Date: March 20, 2026 Framework: Maximum Adversity — treat as guilty until independently proven otherwise Trust Hierarchy: On-chain data > Independent third-party analysis > Community intelligence > Historical footprints > Official communications Verdict Summary: VERY LOW FRAUD RISK / MEDIUM STRUCTURAL RISK — The strongest team credentials and institutional signal stack of any protocol reviewed in this series. Real risks are structural: governance concentration, the curator accountability vacuum, and the ongoing tension between “neutral infrastructure” and the real losses users experience when that infrastructure is misconfigured.

Executive Summary

Morpho is a Paris-born DeFi lending protocol founded in 2021 by four engineering students from Télécom Paris. It has grown from an Aave/Compound optimization layer into the second-largest DeFi lending protocol by TVL (~$5.8B as of March 2026), with an architecture centered on permissionless isolated lending markets (Morpho Blue), curator-managed vaults (MetaMorpho / Vaults V2), and a forthcoming fixed-rate lending product (Morpho V2).

Fraud probability: Near zero. The combination of fully verified French engineering school founders with no prior failed projects, a16z/Coinbase/Ribbit/Pantera institutional backing, 25+ Tier 1 audits including Spearbit and Trail of Bits, Certora formal verification, Ethereum Foundation $19M live deployment, and a 2025 nonprofit restructuring that eliminated equity/token conflicts represents the most comprehensive legitimacy stack in this investigation series.

The real risks are architectural and governance-related:

Governance concentration — one wallet controlled >50% of voting power as of mid-2025 with a dangerously low 500K MORPHO quorum threshold
Curator accountability vacuum — the protocol earns fees while disclosing zero responsibility when curators’ oracle misconfigurations or concentration decisions cause user losses ($230K PAXG exploit, $33K cbETH liquidation, $285M Stream Finance contagion all trace through this structural gap)
Permissionless market creation — anyone can deploy a maliciously parameterized market; Morpho’s frontend is the only practical filter, and that filter has a faulty-frontend failure mode (April 2025, $2.6M intercepted by white hat)

Top 3 Positive Signals:

Ethereum Foundation deployed $19M across two separate tranches — the only DeFi protocol deployed twice under EF’s “Defipunk” treasury framework. This is unfakeable and represents the highest-quality independent endorsement available in this ecosystem.
Founders voluntarily relocked their 15.2% token allocation for an additional two years (vesting through May 2028), a financially self-dilutive signal of long-term conviction.
25+ Tier 1 audits + Certora formal verification + $2.5M bug bounty. The security investment is proportionate to TVL and demonstrates the protocol takes security seriously beyond checkbox compliance.

Phase 1: Team Assessment

Paul Frambot — Co-Founder & CEO

Verification status: FULLY VERIFIED. No red flags.

Education: Master’s degree in Parallel and Distributed Systems, Institut Polytechnique de Paris / Télécom Paris (one of France’s top Grandes Écoles for digital technology). Enrolled and founding Morpho during his final year as a student.
Pre-Morpho background: Introduced to the project via KRYPTOSPHERE (the Télécom Paris student blockchain organization) and a collaboration with Vincent Danos, a CNRS researcher. No prior crypto ventures, no failed projects.
GitHub: @PaulFrambot — active on the morpho-org GitHub organization, confirmed contribution history.
LinkedIn: paul-frambot, Paris. 500+ connections, consistent with career narrative.
Public profile: IQ.wiki page on Paul Frambot. Forbes feature. Named “Best Young Talent” at The Big Whale Awards 2024 — awarded by an independent French crypto media organization. The Block maintains a profile page on him. CNBC-level appearance pattern not yet established (contrast with Exodus’s JP Richardson) but Paris Blockchain Week Summit 2024 speaker.
Red flag check: No evidence of prior failed projects, scam allegations, deleted social media, or fabricated credentials. Frambot has been publicly building Morpho since 2021 — a 5-year continuous public record that predates market cycles. He explicitly stated he would “rather reinvest revenue back into the protocol than pay out to token holders” — aligns with the 2025 nonprofit restructuring.

Adversarial note: The student-founder origin story is independently verifiable: Morpho’s $1.35M seed round in 2021 while Frambot was still a student is covered in multiple independent outlets (Coinshares, The Big Whale, RootData). The story is internally consistent across sources.

Merlin Egalite — Co-Founder

Verification status: FULLY VERIFIED. No red flags. POSITIVE pre-Morpho track record.

GitHub: @MerlinEgalite — “Cofounder & Wizard @morpho-org.” 50 public repositories. GitHub activity predates Morpho.
LinkedIn: merlin-egalite — “Co-founder @MorphoLabs, building an open, efficient and resilient lending protocol.”
Pre-Morpho work: Smart contract white-hat at Kleros (blockchain dispute resolution platform) AND software engineer at Commons Stack (token engineering / community currency infrastructure). Two verifiable pre-Morpho crypto positions with established organizations. This is the strongest individual pre-founding credentialing in the investigation.
Character signal: A white-hat background at Kleros is directly relevant to Morpho’s security posture. Someone who spent time attacking/defending smart contracts professionally is a more credible security-focused builder than a protocol founder with no security background.

Adversarial note: Commons Stack and Kleros both have established public records. The Kleros white-hat role is not marketing language — Kleros is a known protocol (founded by Federico Ast, verifiable through its own funding and product history). This is a genuine pre-founding anchor.

Mathis Gontier Delaunay — Co-Founder & Head of Protocol

Verification status: PARTIALLY VERIFIED.

Co-founder, oversaw core protocol development
Less public profile than Frambot and Egalite
No negative background found
Consistent with Télécom Paris co-founding group narrative

Julien Thomas — Co-Founder

Verification status: PARTIALLY VERIFIED.

Listed as co-founder in multiple independent sources
Minimal public profile
No negative background found

Hugo Danet — Initial Team Member (Departed)

Left Morpho in February 2022 — approximately 8 months after founding
No evidence of hostile departure or post-exit controversy
Early departures from founding teams are common and not inherently a red flag

Team Summary Verdict

The Morpho founding team has the most verifiable pre-founding track record of any DeFi protocol in this investigation series. Both primary founders are fully identified, have verifiable educational credentials (Télécom Paris, a top-5 French engineering school), and have independently verified pre-Morpho professional histories. Merlin Egalite’s white-hat background is a specific, positive security signal. No evidence of prior failed projects, scam activity, or manufactured credentials exists.

Unverified claims:

Mathis Gontier Delaunay’s specific educational and professional background beyond co-founder status is not independently confirmed
Julien Thomas’s background is essentially undocumented in public sources

Phase 2: Third-Party Intelligence

Investor Credibility Assessment

Morpho’s investor roster is the strongest of any protocol reviewed in this series:

Investor	Round	Known For	Conflict Check
Nascent	Seed (2021)	Credible DeFi-native fund	No red flags
Semantic Ventures	Seed (2021)	Early stage, DeFi-native	No red flags
a16z Crypto	Series A (2022, second entry 2024)	Tier 1 VC, multiple DeFi bets	No known protocol operator role
Variant Fund	Series A (2022)	DeFi-native, credible analysis	No red flags
Ribbit Capital	Series C (2024, led)	Fintech: Robinhood, Revolut, Coinbase early investor	No red flags
Pantera Capital	Series C (2024)	Tier 1 crypto fund	No red flags
Coinbase Ventures	Both rounds	Strategic: Coinbase is also a product customer	POTENTIAL CONFLICT
Brevan Howard Digital	Series C (2024)	Major TradFi hedge fund	No red flags
Hack VC	Series C (2024)	Credible DeFi fund	No red flags

Coinbase Ventures / Coinbase conflict analysis: Coinbase is both an investor (via Coinbase Ventures in both rounds) and a product customer — they built $1B+ in Bitcoin-backed loan originations on Morpho Base. This is the same structural concern identified with Jump Crypto at Ostium. However, the nature of the relationship is materially different: Coinbase is a product customer paying fees to use Morpho’s infrastructure, not a market maker or hedging counterparty extracting value from the protocol. The investor-as-customer relationship benefits Morpho’s users (larger loan book = more liquidity) rather than creating an adversarial extraction dynamic. Rate as LOW-MEDIUM concern, not critical.

Apollo Global Management cooperation agreement (February 2026): Apollo (AUM ~$940B) signed an agreement to acquire up to 90 million MORPHO tokens (9% of supply) over 48 months. Galaxy Digital acted as Morpho’s financial advisor. This is an open-market / OTC acquisition framework with trading restrictions. The governance implication is significant: a $940B TradFi firm acquiring 9% of a DAO’s governance token creates a potential future scenario where TradFi governance preferences influence protocol decisions. This is not a current risk (Apollo has not acquired all 90M tokens) but is a structural change in Morpho’s governance trajectory to flag.

Audit Assessment

Status: OUTSTANDING — tier-1 depth unprecedented in this investigation series.

Morpho has undergone 25+ security reviews from named, independently verifiable firms:

Tier 1 firms confirmed:

Spearbit — audited Morpho Aave V2 contracts; found critical and high issues (addressed). Audited Morpho Vaults V2.
Trail of Bits — audited Morpho Compound V2; found 1 critical issue (implementation hijacking via self-destruct). Fixed; not present in live code.
ChainSecurity — confirmed on multiple Morpho contracts and Vaults V2.
Certora — formal verification of critical contract functions. Mathematical proofs used to guarantee properties hold under all conditions. Internal PhD engineer also doing formal verification work.
OpenZeppelin — audited; library usage confirmed.
Zellic — confirmed on Vaults V2.

Tier 2 firms confirmed:

Pessimistic Security, Blackthorn, Omniscia, Solidified, Quantstamp

Bug bounty: $2.5M maximum payout on Cantina + Immunefi. Exceeds Apple’s bug bounty. A genuine market signal — high bounties attract sophisticated researchers.

Cantina competition held for Vaults V2.

Core contract minimalism: Morpho Blue (~650 lines of Solidity) is significantly smaller than Aave V3 or Compound V3. Smaller surface area = fewer potential exploit vectors. The minimalist design is both an aesthetic choice and a security design choice.

Adversarial note: The prior audit findings (Spearbit: critical + high issues; Trail of Bits: 1 critical issue) were addressed before deployment. The fact that Tier 1 firms found and reported critical issues — and those issues were fixed — is a POSITIVE signal, not a negative one. It means the security process was working. Contrast with protocols where auditors find no issues but exploits occur later (false negatives from underqualified auditors).

Independent Analyst Coverage

Ethereum Foundation ($19M, March 2026): The EF’s “Defipunk” treasury policy explicitly requires: permissionless access, self-custody, privacy, open development, maximally trustless core logic, censorship resistance, and technical robustness. Morpho is the only DeFi protocol chosen twice under this framework. This is a credibility signal that cannot be replicated through marketing, token allocation, or VC relationships.

LlamaRisk (Aave governance forum): No specific Morpho adversarial assessment found in search results. LlamaRisk’s primary focus is on Aave collateral risk, and Morpho is not currently integrated into Aave as a collateral asset. This is an information gap, not a negative signal.

CoinShares analysis (“Morpho, the platform taking DeFi by storm”): CoinShares is an asset manager with potential token holdings — treat with some caution. However, their technical analysis of Morpho’s architecture is consistent with independent sources.

Blockworks (accountability piece): The most adversarial independent coverage found. Article directly challenged Morpho’s “neutral infrastructure” defense when user “jameis” lost 14 ETH to an oracle delay with no recourse. This is legitimate and serious criticism — not a scam allegation but a structural failure mode.

Community sentiment: Reddit content unavailable via web search (confirmed persistent limitation for this investigation series). Discord presence noted as a concern — Morpho co-founders cited DM phishing scams as a reason to limit Discord usage, which is a protective measure, not a red flag.

Stream Finance Contagion (November 2025)

This is the most adversarially important finding in Phase 2.

Stream Finance’s xUSD stablecoin depegged in November 2025, causing $285M in losses across DeFi. Elixir had lent 65% of its deUSD reserve ($68M of $105M total) to Stream through a private Morpho vault.

Critical analysis:

Morpho’s core contracts were not exploited. This was curator-level risk concentration, not protocol failure.
The private Morpho vault structure enabled Elixir to concentrate 65% of its reserves in a single undisclosed counterparty — concentration that would be illegal in regulated fund management.
Morpho correctly argues that market isolation is by design: only the exposed vaults were affected (3-4 of 320 Morpho App vaults).
However, the private vault structure itself is an accountability gap: users depositing into Elixir’s deUSD did not know their collateral was being deployed through a private Morpho vault to a single borrower.
Merlin Egalite dismissed “claims of protocol-wide illiquidity” as mispresented — technically accurate, but this response treats $285M in ecosystem losses as an external problem.

Verdict: Morpho is not the root cause of the Stream Finance contagion. But the permissionless private vault model enabled the concentration risk. “Neutral infrastructure” is both legally defensible and ethically problematic when the infrastructure is used to hide concentration risk from downstream depositors.

Phase 3: On-Chain Investigation

Smart Contract Risk Assessment

Morpho Blue (core protocol):

Immutable — cannot be upgraded after deployment. No proxy upgrade risk. No admin key risk on core contracts.
Permissionless — anyone can create markets. No whitelist. This is a feature (open access) and a risk (malicious market creation).
~650 lines of Solidity — minimal code surface. Formally verified by Certora.
Oracle-agnostic — each market creator chooses their oracle. No oracle standardization. This is the root cause of the PAXG exploit and the cbETH stale price incident.

Morpho Vaults (MetaMorpho / V2):

Role-based access control: Owner (multisig), Curator (strategy), Allocator (execution), Sentinel (safety/veto)
7-day timelock recommended by leading curators (e.g., Steakhouse) for market onboarding; protocol minimum is 3 days
Vaults are NOT immutable — curators can change market allocations, set caps, and update parameters
Owner role compromise is the highest vault-level risk: a compromised Owner multisig can delegate harmful permissions to a malicious Curator
Best practice (Steakhouse): 5-of-N multisig for Owner; institutional MPC wallets recommended; never EOA for production Owner role

Governance multisig:

5/9 governance multisig implements DAO-approved actions
4/7 Guardian board retains control over protocol upgrades (separate from DAO voting — this is a PARALLEL POWER STRUCTURE)
Governance votes on Snapshot (off-chain); execution by the 5/9 multisig (on-chain)
24-hour post-vote timelock on governance actions (at minimum benchmark of 24 hours — see Lista DAO lesson; industry standard is 48-72hr for protocols of this scale)

Token Distribution and Vesting Analysis

Total supply: 1,000,000,000 MORPHO (hard cap) Circulating (March 2026): ~404 million (~40% of total)

Allocation	%	Notes
Morpho DAO	35.4%	Community-controlled treasury; grant programs + fee switch
Strategic Partners (VCs)	27.5%	Cohort 2 (16.8%): fully vested by Oct 2025 — SUPPLY OVERHANG RESOLVED; Cohort 3 (6.7%): vesting through May 2028
Founders	15.2%	Voluntarily relocked for additional 2 years from May 2025; fully vested May 2028
Morpho Association Reserve	6.3%	Ecosystem development
Contributors Reserve	5.8%	3-year vest, 6-month lockup
Users / Launch Pools	4.9%	Distributed as protocol rewards
Early Contributors	4.9%	Distributed to early builders

Key findings:

Cohort 2 VC tokens (~16.8%) were fully vested by October 2025. This was the largest potential supply overhang and has already passed. The supply pressure from VC selling is largely behind the market.
Founder relock is a genuine positive signal. 15.2% of 1 billion tokens = 152 million MORPHO. Voluntarily extending their lockup from the original 3-year schedule to an additional 2 years (through May 2028) is a financially self-dilutive commitment that cannot be explained by short-term extraction motives.
DAO grant programs issue 4%+ new supply annually while the fee switch remains inactive. This is a persistent inflation source that the governance forum has flagged as unsustainable.
Apollo’s acquisition of up to 90M tokens (if fully executed at current prices ~$1.80) = $162M inflow. This is structured demand offsetting the DAO emission pressure.

Token Price Analysis

Metric	Value
Token launch	November 21, 2024
All-time high	$4.17 (January 17, 2025)
All-time low	$0.7035 (October 10, 2025)
Current price (March 20, 2026)	~$1.80
ATH decline	-57%
ATL recovery	+156% from ATL
Market cap (CoinGecko)	~$972M
Circulating supply	~404M MORPHO
FDV	~$1.8B

Assessment: The MORPHO token launched in November 2024 at the height of a bull cycle. The ATH in January 2025 reflected post-launch euphoria + peak crypto market conditions. The ATL in October 2025 reflected: (1) broad crypto market correction, (2) Cohort 2 VC token unlocks (fully vested by Oct 2025), (3) Stream Finance contagion concerns. The recovery to $1.80 from $0.70 ATL is significant and preceded the Apollo announcement (which caused a 17.8% single-day pump). At $1.80, FDV is $1.8B for a protocol with $5.8B+ TVL — FDV/TVL ratio of ~0.31, reasonable by DeFi lending standards.

On-Chain Validation Gaps

UNRESOLVED (requires direct on-chain inspection):

Exact multisig signer identities for the 5/9 governance multisig are not publicly documented in sources retrieved
Guardian board (4/7) member identities not confirmed via web search
Exact composition of the “one wallet that held >50% of voting power” mid-2025 — anonymous wallet or known entity?

These require direct Etherscan/Snapshot inspection and represent the primary unresolved on-chain items.

Phase 4: Comparative Analysis & Red Flag Register

Historical Incident Chronology

Date	Incident	Funds Lost	Root Cause	Protocol Fault?
June 2023	Immunefi bug report (GothicShanon89238)	$0	Unspecified contract bug	YES — patched
Oct 13, 2024	PAXG/USDC oracle exploit	$230K	Curator misconfigured oracle decimals (12-decimal inflation)	NO (curator error)
Apr 11, 2025	Frontend vulnerability intercepted	$0 (white hat)	Frontend update bug	YES — frontend
Mar 2025	cbETH oracle stale price liquidation	~$33K (14 ETH)	Pyth push-oracle not synchronized	PARTIAL (oracle-agnostic design)
Nov 2025	Stream Finance contagion	$285M ecosystem	Elixir vault concentration in private Morpho vault	NO (curator concentration)

Adversarial pattern: Three of five incidents trace to the curator accountability gap. The protocol is technically not at fault in these cases — but the protocol’s design choices (oracle-agnosticism, permissionless private vaults, zero curator accreditation requirements) are the enabling conditions. The “it’s the curator’s fault” response is legally defensible but does not address the systemic risk.

Governance Centralization — Deep Analysis

The single most alarming finding in this investigation.

As of mid-2025, one wallet controlled more than 50% of active voting power in Morpho governance. The quorum threshold is 500,000 MORPHO — at a price of ~$1.80, this is approximately $900K. A single entity with $900K in MORPHO can pass a governance proposal with minimal opposition if participation remains low.

Structural factors:

Total circulating supply: ~404M MORPHO
DAO treasury: ~354M tokens (35.4% of supply)
If DAO treasury tokens are delegated to a single voting wallet, that wallet trivially controls >50% of delegated voting power
72-hour voting + 24-hour timelock is shorter than the 48-72 hour industry standard at this TVL scale

Parallel governance structure: The 4/7 Guardian board retains control over protocol upgrades independently of DAO token voting. The Guardian board is not directly elected by token holders through a transparent process — membership is governed by the Morpho governance itself. This creates a two-track governance system:

MORPHO token voting → routine governance decisions
Guardian board multisig → protocol upgrade decisions

The Guardian board concentration is the more dangerous vector: a 4/7 multisig is harder for token holders to override and operates with more opacity than Snapshot votes.

Red Flag Register

#	Flag	Evidence	Severity	Source
1	One wallet >50% voting power (mid-2025)	Morpho Governance Forum sustainability brief, Nov 2025	CRITICAL	forum.morpho.org
2	Curator accountability vacuum — no recourse for oracle failures	cbETH liquidation, PAXG exploit, Blockworks accountability piece	HIGH	Blockworks, Morpho docs
3	Stream Finance: $285M contagion via private Morpho vault	Elixir 65% reserve concentration in Stream	HIGH	Multiple news sources, MEXC
4	Permissionless market creation = potential malicious market deployment	Same design pattern that enabled Penpie/Pendle exploitation	HIGH	Framework analogy
5	Guardian board (4/7) upgrade power separate from DAO	Parallel governance power, undisclosed signer identities	HIGH	docs.morpho.org
6	Governance quorum exploitable at ~$900K threshold	500K MORPHO = $900K at current prices	HIGH	forum.morpho.org
7	24-hour post-vote timelock below 48-72hr industry standard	At $5.8B TVL, 24hr provides limited protection	MEDIUM	Industry benchmark comparison
8	Oracle-agnostic design enables diverse attack surfaces	PAXG decimal misconfiguration, cbETH Pyth delay	MEDIUM	Protocol design
9	Apollo 9% governance acquisition = TradFi governance influence	Future governance voting by $940B AUM TradFi firm	MEDIUM	CoinDesk, Morpho blog
10	DAO token emissions (4%+ supply/year) exceeding market demand	No fee switch activation, two active grant programs	MEDIUM	forum.morpho.org sustainability brief
11	April 2025 frontend vulnerability	$2.6M intercepted by c0ffeebabe.eth; no loss but near-miss	MEDIUM	CoinTelegraph, multiple
12	Coinbase investor + product customer dual role	Potential preferential treatment in product development	LOW-MEDIUM	Structural
13	Mathis and Julien background not independently verified	Less public presence than Frambot/Egalite	LOW	Absence of evidence
14	Discord abandoned due to phishing epidemic	Team cited scam prevalence; less community visibility	LOW	Co-founder statements

Comparative Analysis: Structural Similarities to Known Failure Modes

Comparison: Penpie/Pendle permissionless market attack surface The most structurally analogous prior case in this series. Pendle’s permissionless market creation enabled the Penpie $27M hack. Morpho’s permissionless market creation is the same architectural choice. The difference is that Morpho Blue’s oracle-agnostic design means malicious markets primarily harm vault depositors who choose to supply to them, not the core protocol. Isolation is Morpho’s key differentiating protection — but isolation does not eliminate risk, it contains it.

Comparison: Compound V2 oracle manipulation (historical) The PAXG oracle misconfiguration ($230K) is structurally similar to oracle manipulation attacks on earlier lending protocols. Morpho’s immutable core contracts mean it cannot be patched after deployment — but the curator layer is where this risk lives. The protocol correctly pushed responsibility to curators; the question is whether curators are sufficiently accountable.

Comparison: Threshold Network’s governance multisig The Guardian board structure parallels Threshold’s “Bridge has no timelock” finding in a prior investigation. A multisig with upgrade power and undisclosed signers, operating in parallel to DAO governance, is a recurrent structural risk in DeFi. At Morpho’s scale ($5.8B TVL), the Guardian board risk is more material than it was at Threshold.

What Morpho does NOT share with known rug pulls:

Anonymous/unverifiable founders (all four founders identified, two with strong independent verification)
No Tier 1 audit coverage (Morpho has Spearbit + Trail of Bits + Certora)
Token vesting abuse (founders voluntarily relocked)
Absence of legitimate investors (a16z, Ribbit, Pantera, Coinbase)
Single-exploit catastrophic failure (isolated market design has prevented systemic failures)

Final Verdict

Fraud probability: Near zero. Structural risk: MEDIUM, concentrated in governance and curator accountability.

Morpho is the most technically and institutionally credible DeFi lending protocol reviewed in this investigation series. The EF $19M deployment, Apollo cooperation agreement, 25+ Tier 1 audits, Certora formal verification, immutable core contracts, and founder voluntary relock create an adversarial ceiling that rules out exit scam scenarios with high confidence.

The genuine risk profile is:

For vault depositors: You are trusting curators who have no regulatory license, no mandatory disclosure requirements, no accountability when oracle misconfigurations cause losses, and who earn performance fees regardless of whether their risk decisions serve your interests. The cbETH liquidation and Stream Finance contagion demonstrate that this risk is real and recurring. Before depositing into any Morpho vault, investigate the curator’s identity, their multisig composition, their timelock settings, and their track record.

For MORPHO token holders: The governance concentration (one wallet >50% voting power, $900K quorum threshold) is the single most alarming on-chain finding in this report. A sufficiently capitalized actor can push through governance proposals with minimal resistance. The 4/7 Guardian board upgrade power is a parallel attack surface with even less transparency. These risks are architectural and cannot be mitigated by tokenomics alone.

For institutional integrators (Coinbase, Strike, etc.): The immutable core contracts and formal verification are genuine strengths. The curator risk is partially mitigated if you control your own curator (as Coinbase implicitly does for its loan product). For white-label use cases with controlled curator infrastructure, Morpho’s risk profile is significantly better than for passive vault depositors.

The Apollo governance question: If Apollo executes the full 90M token acquisition over 48 months, they become a 9% token holder in a DAO where 50%+ of voting power is concentrated and quorum is achievable at $900K. The governance implications at completion depend on how broadly voting power has distributed by that point. A TradFi firm with $940B AUM acquiring decisive governance influence in a DeFi protocol is not inherently bad — but it changes the nature of the DAO fundamentally.

Unresolved Questions

Who is the wallet controlling >50% of Morpho voting power? This is the highest-priority unresolved question. Is it the Morpho Association itself (which would be transparent if disclosed), a VC fund, or an anonymous actor? This requires direct Snapshot inspection. If it’s the Association/DAO treasury, it is explainable. If it’s an unaffiliated wallet, it is alarming.
Guardian board (4/7) signer identities — who holds the protocol upgrade keys? Independent of MORPHO token voting, the Guardian board can execute protocol upgrades. The composition is not surfaced in publicly available documentation retrieved.
Vault curator accreditation standard — Morpho’s documentation recommends curators use 5-of-N multisigs. Is this a recommendation or an enforced minimum? If a curator is operating with a 2-of-3 multisig or a single EOA, that vault’s security is dramatically lower than the protocol’s aggregate security posture implies.
Fee switch activation timeline — The DAO controls a fee switch that would direct protocol revenue to MORPHO token holders. The fee switch has not been activated as of investigation date. Activation would change the token’s economic rationale materially and would create potential regulatory reclassification risk (security-like characteristics). The timing and structure of fee switch activation is an unresolved governance decision with material implications.
Stream Finance private vault counterparty — Who was the actual borrower in the Stream Finance private Morpho vault that received $68M of Elixir’s deUSD reserves? Was the concentration disclosed to Elixir depositors before the collapse?

Report prepared using adversarial due diligence framework. All conclusions subject to revision upon new on-chain or regulatory data. Not financial advice.