2/ The original impact of the exploit was $4.9k USD in USDC borrowed against USR.

This was before curators began auto-supplying USDC.

Morpho has a core feature named “Public Allocator”, allowing curators to automatically supply capital to “markets in need”.

3/ Autoallocations are based on pre-configured and approved caps and credit lines.

Multiple curators, including Gauntlet, re7, kpk, and 9summits, had enabled automatic supply to Resolv markets.

Notably, Steakhouse, despite being Resolv’s risk manager, had no exposure to the protocol.

4/ The logic of this feature is to capitalize on periods of high utilization (and higher yields) on those venues.

However, in this case, it meant that for hours after the exploit, curators kept feeding their users’ capital to the “broken” markets.

5/ Let’s examine how this played out for the wstUSR/USDC Morpho lending market.

6/ First of all, this market has hardcoded oracles (which were explored in the previous thread).

x.com/omeragoldberg/status/20…

7/ Now, we clearly see that Gauntlet and other curators began supplying USDC to these markets ** after ** the exploit at 2:20 UTC.

Gauntlet allocations began 20 min after, at 2:41 UTC.

8/ So if Gauntlet was supplying, who was borrowing?

9/ Onchain, we see several wallets invoking borrow requests immediately after each incremental Gauntlet USDC core autoallocation.

This persisted for around 90 minutes, until it was presumably noticed and then turned off.

Others, like 9summit, continued to supply for 10 hours.

10/ Per the documentation, the goal of the Public allocator is to offer deeper liquidity and better UX.

In this case, borrowers got a better UX, for sure.

Obviously, this is not the intended use of this functionality when curators enabled it.

11/ In total, USDC exit liquidity was provided to Morpho Market USR borrowers through Morpho vault curators for hours after the exploit.

This amounts to roughly $6.2m in exit liquidity, 96% of which is from Gauntlet vaults.

12/ Curators are meant to do more than route capital or “optimize the yield”.

Their role is to apply judgment, especially during stress or live incidents.

13/ If the risk curation does not result in timely intervention, the system is not meaningfully different from an automated allocator sitting atop smart contracts with pause buttons while collecting fees.

14/ Takeaway #1

Automations can be great... if you know how to manage them.

The public allocator is framed as an elegant solution.

Caps are even offered, but the actual implementation, instrumentation, and risk management live with curators.

15/ Automations without automated circuit-breakers are liabilities, not features.

This was further exacerbated by the fact that Morpho markets are immutable and, in this instance, configured with hardcoded oracles.

16/ A public allocation function that can be invoked by anyone during a live exploit against a hardcoded oracle is an automatic credit line for attackers.

17/ As a curator, blindly supplying liquidity to any market is dangerous.

Underlying protocols, or asset issuers, can change their access control permissions, offchain setups, etc.

Literally anything!

18/ From a user's perspective, this instantly changes the vault's risk profile for the deposit they made.

Auto-allocation to markets that suddenly surge in demand is dangerous and must be communicated if enabled.

Risk management is a 24/7/365 responsibility.

19/ Now to briefly touch on the Steakhouse risk assessment, published 5 days ago.

Steakhouse was recently engaged as Resolv's risk manager and published this report.

kitchen.steakhouse.financial/…

20/ The risk assessment explicitly covered the exact class of exploit that happened today.

Steakhouse concluded that Resolv “demonstrates institutional rigor”, is "designed to handle these crises via automated mechanisms," and relies on "time-tested components for token minting and redemption logic."

That matters because risk assessments such as this can shape downstream allocation and other curators/operators’ comfort with an asset or market.