There’s a gap in how permission risk is audited and monitored.
Our team is going deep on access control configurations across assets to tackle exposure to one of DeFi’s biggest risk vectors.
Interesting how legitimate this looks from the UI, and good to explain what depositors can check before their USDC gets routed into something like this.
At the block I checked, the market had about 7.734m USDC supplied and 7.734m USDC borrowed - One account, `0xe38a...Dc4C`, has effectively all of the borrow against 9.6517m AZND collateral.
On the surface, this looks like a stablecoin lending market:
- USDC loan asset
- AZND collateral
- 86% LLTV
- current LTV around 80%
catch is the oracle: `0x270B...5588b`. showing:
BASE_FEED_1 = 0x0
BASE_FEED_2 = 0x0
QUOTE_FEED_1 = 0x0
QUOTE_FEED_2 = 0x0
BASE_VAULT = 0x0
QUOTE_VAULT = 0x0
SCALE_FACTOR = 1e24
price() = 1e24
For 18-decimal AZND against 6-decimal USDC, `1e24` is the Morpho-scaled version of "1 AZND = 1 USDC".
So the oracle path has no external price input: no base feed, no quote feed, no vault conversion route.
`price()` just returns the scale factor, and the market treats AZND as $1.
If AZND is not actually redeemable at par, the borrower does not need a price manipulation attack. They can default and leave lenders with AZND collateral.
Alpha USDC Asia V2 vault is more or less exclusive supplier to this market through a Morpho adapter. That adapter's supply shares convert to about 7.713m USDC, or roughly 99.72% of the market supply. Depositors here look legit, so the vault is acting as an abstraction to trap unsuspecting depositors...
Vault control is concentrated too:
owner = 0xEB4A...4645
curator = 0x6788...9Da5
(Both are allocators - yay)
If AZND fails to hold par, the market is left short USDC relative to lender claims, with AZND as the recovery asset.