Morpho Market Migration Review

1

Summary

Timeline: From 2025-02-25 To 2025-02-28

Total Issues: 2 (0 resolved, 1 partially resolved)

Notes & Additional Information: 2 (0 resolved, 1 partially resolved)

Scope

OpenZeppelin received and reviewed the proposal payload for the upcoming Compound <> Morpho <> Polygon Collaboration. This proposal post describes sending $1.5 million worth of COMP tokens to the newly launched Morpho lending vaults on Polygon.

The scope of this review is limited to the simulating and tracing of the execution steps of the calldata. The scope DOES NOT include a full, in-depth audit of the contracts involved or the functions being called. For example, the Morpho vaults themselves were not in scope. We verified that each on-chain Morpho vault matches their audited repository version and the reader can review audits of these contracts here.

Any figures and on-chain data were confirmed as of block 21975895 (4nd March 2025 8:23PM GMT).

Proposal Overview

​The Compound <> Morpho <> Polygon Collaboration proposal outlines a collaboration between Compound, Morpho, and Polygon to launch Morpho-powered lending vaults on the Polygon network. This initiative involves a joint incentive program, with both Polygon and Compound contributing $1.5 million each to encourage user participation.

By integrating Morpho’s technology, Compound can enable faster asset listings and dynamic parameter adjustments, bypassing the traditional governance process that typically requires proposals to modify the protocol’s operations and comet parameters. Once deployed, the vaults and markets will be immutable, ensuring that Compound retains ownership unless it makes explicit renunciation via the governance process. The combined incentive pool of $3 million from Polygon and Compound aims to attract users and liquidity providers, enhancing the protocol’s growth and sustainability.

Execution Steps of the Calldata

The proposal was simulated was found to be well-formed with correct execution path. The proposal encodes four calls:

Call 1 - Grant COMP

This call transfers 25,565 COMP from Compound’s Unitroller to Compound’s Timelock on Ethereum mainnet

  • function: _grantComp(address recipient, uint256 amount)
  • target: Unitroller
  • recipient: Mainnet Timelock
  • amount: 25,565e18 (i.e., 25565 COMP)

Call 2 - Approve Bridge Spend

This call approves the Polygon’s ERC-20 bridge contract to spend the 25,565 COMP tokens from the Ethereum mainnet.

Call 3 - Transfer COMP to Multisig

This call moves the 25,565 COMP tokens from the Ethereum mainnet to the multisig wallet on Polygon.

  • function: depositFor(address user, address rootToken, bytes depositData)
  • target: Polygon Bridge
  • user: Multisig
  • rootToken: COMP Token
  • depositData: 0x000000000000000000000000000000000000000000000569e1a532d32d540000

The depositData value is simply the COMP token amount (25,565) that is to be bridged. The multisig
contract currently has a threshold of three for its six owners who are:

Call 4 - Accept Ownership of Morpho Vaults

This call sends a message to Compound’s Timelock contract on Polygon to accept the ownership of the Morpho vaults.

Each vault has set Compound’s Timelock as its pending owner. The current owner of these vaults is a multisig contract at address 0xC684c6587712e5E7BDf9fD64415F23Bd2b05fAec. It shares one owner with the multisig above and has a threshold of 4 of 7. Its owners are:

Trust Assumptions

This proposal includes granting a multisig not controlled by the DAO a non-trivial alottment of COMP. It is not in our scope to evaluate the trustworthiness of parties and therefore we neither endorse nor oppose them as custodians. For this analysis however, we do assume that the custodial multisig will manage and maintain these contracts as described in the proposal, to the best of their abilities, and in good faith.

It is assumed that the contracts, including the Fx-Portal, the Polygon ERC-20 bridge, and the Morpho contracts, are secure and work as intended. We also assume that each vault is correctly configured and will be in the future as Gauntlet administers them. We also assume that the current vault owners will not revoke the Timelock’s pending ownership before it can take ownership itself (via proposal execution). We will verify this as the proposal progresses.

Notes & Additional Information

Multisig Documentation

We value openness as a key part of the blockchain and a key part of openness is transparency. Already, the documentation for the Compound ecosystem is becoming inaccurate. For example, the central Governor contract address has not been updated on Compound’s docs since it was upgraded. The special role of the multisig in the ecosystem should be documented somewhere so that the community is aware of its role and signers.

Consider documenting the multisig signers in the proposal and its address in the official Compound documentation.

Update: Acknowledged.

COMP Amount Not Specified in Proposal Description

At the time of this writing, the COMP/USD price given by Chainlink is $50.0396. This values the 25,565 COMP tokens being sent to the Morpho Vaults at $1.28 million, which is roughly $220,000 short of the $1.5M USD stated in the proposal description.

Update: Partially Resolved. We asked the Gauntlet team about this discrepancy and they explained that they are using a 30-day time-weighted-average-price ending on 24 Feb to compute a price of $58.673 for their calculation. This yields the proposal’s 25,565 COMP.

Conclusion

OpenZeppelin conducted a review of Gauntlet’s calldata for their recent Compound <> Morpho <> Polygon Collaboration forum proposal description. Our report offers a summary of the proposed call data, the assumptions we have about the proposal, and two notes to the community.