Summary

• No user funds were compromised
• Two Morpho markets configured by the Steakhouse team used an incorrect number of decimal places in the oracle setup, leading to a situation where borrowers could have drained loan assets from any allocated vaults
• The market IDs in question are:
  • wstETH/wM ID: 0xdf99a1e09b2a05d0f54a5fc4cc3de7ba9372eb0b7793cee58a18c385394bc05a
  • WBTC/wM ID: 0xcc6fbc7f375c5d8206667dd9b1beac424983b2a5c850f1d429499fcc574ddb6c
• The Steakhouse team was also notified by a white hat disclosure, and we are grateful for their diligence and responsiveness
• The Steakhouse wM vault that allocated liquidity to these two markets is still in the process of being set up and only contained liquidity from one user, who we notified and who withdrew
• Both markets have been removed from Steakhouse wM and do not contain any new user funds

Root causes

• The error was introduced during the market creation process
• Our process relies on creating a seed position to bootstrap a Morpho market to ensure that the LTV ratio of the market is coherent to allow us to detect errors, such as decimal configurations, during the oracle setup
• A bug during the check process did not display the error on the affected markets ahead of execution

Action items

• New market creation scripts to create market using decimals from on-chain token contracts to ensure correct settings (no more manual configuration)
• Additional and redundant checks performed for new markets prior to and post vault addition
• We also added a reviewer as we have expanded the team