Skip to main content

Position isolation

Every position gets its own UserProxy clone contract deployed at the time the position is opened. One user’s problems cannot spill over to another, and multiple positions from the same user are also fully isolated from each other. The proxy only accepts calls from the FlashLeverage contract during normal operation. Users cannot call it directly unless Manual Mode has been explicitly enabled by the owner on that specific proxy.

Reentrancy protection

All state-changing functions are protected with OpenZeppelin’s nonReentrant guard. Flash loan callbacks are validated to only accept incoming calls from the Morpho contract address, blocking any attempt to invoke the callback from an external source.

Liquidation buffer

The 0.25% safety buffer below Morpho’s liquidation LTV is a compile-time constant. It cannot be changed after deployment, regardless of owner configuration. Every leverage and borrow operation validates that the resulting LTV stays within this bound before execution proceeds.

Input validation

Every state-modifying function validates inputs before executing. No zero addresses, no zero amounts, collateral tokens must be registered in supported markets, positions must be open, and the resulting LTV must remain within safe bounds. Operations that would push a position toward liquidation revert.

Ownership and fee caps

Ownership uses OpenZeppelin’s Ownable2Step, requiring a two-step acceptance process before any transfer completes. Ownership renunciation is intentionally disabled so the protocol always retains administrative capability for emergency response. Fee caps are hardcoded constants that cannot be exceeded regardless of owner configuration:
  • Yield fee maximum: 10%
  • Deposit fee maximum: 1%
The owner can adjust fees within these bounds, but cannot set them above the hardcoded caps.

Swap security

Only routers explicitly whitelisted by the owner can execute swaps within the protocol. Every swap validates output against the caller-provided minTokenOut parameter and reverts if the output falls short. User proxy contracts cannot be registered as swap routers, preventing the owner from routing swap calls through a user’s proxy to manipulate their Morpho position. If a router is compromised or behaves unexpectedly, the owner can remove it from the whitelist.

Emergency mechanisms

Pause: The owner can pause all position operations in an emergency. This covers opening, closing, and all active management functions including deleverage and withdrawCollateral. Manual Mode: If funds become stuck in a UserProxy for any reason, the owner can enable manual mode on that proxy upon the user’s request. Once enabled, only the position owner (user) can interact with Morpho directly to repay debt or withdraw collateral. Enabling manual mode does not give the owner access to or control over user funds. Token recovery: The recover() function on UserProxy lets position owners retrieve any ERC20 tokens that landed in the proxy by accident or accumulated as external rewards.