Hash (SHA1) of this article: 076a1b56e11511337f19b67077798752a070da2f
No.: PandaLY Security Knowledge No.048
After Trump's successful election, Ethereum also saw an increase, and Layer 2 Morph, which was grafted on the Ethereum chain and has just completed its mainnet launch, has attracted much attention. On the one hand, its $20 million seed round of financing is strong enough and has the support of many top exchanges and project parties. On the other hand, it is also the first to position the concept of consumer-grade L2, and stands out in such an involuted Layer 2 track with its "female CEO IP" + "trendy Web3 peripherals".
So, what are the highlights of the star-studded Morph project? Is this project worth continued attention (increasing holdings) from a security perspective? Let’s follow PandaLY to learn about this project today.
Morph was founded in 2022 and is positioned as a consumer-grade Layer 2. It aims to become a distribution center for the resources needed by developers to build and expand mass-market applications. Morph adopts a hybrid technical solution of ZK and Optimistic Rollup, and is equipped with a decentralized sorting network to provide mainstream users with unlimited application possibilities.
The mainnet was officially launched on October 30 this year. Its testnet data has registered more than 6 million wallet addresses, successfully executed more than 100 million transactions, deployed more than 200 projects, and participated by more than 1 million community members. The seed round of financing was led by Dragonfly Capital, with Pantera Capital, Foresight Ventures, The Spartan Group, MEXC Ventures and other institutions investing $19 million, and Polygon, Manta, Galxe, Sei, Nansen and other founders investing $1 million. These institutions and well-known individuals have provided strong endorsements for Morph.
Morph’s well-known followers on X include The Block CEO Larry Cermak, Nansen CEO Alex Svanevik, LayerZero CEO Luca Netz, Gitcoin founder Scott Moore, etc., which has gained certain endorsements and support for social media. In addition, Bitget Exchange, which has 40 million users, has supported Morph in terms of wallets and user resources, allowing Morph to obtain huge traffic feedback in the early stage.
After the launch of the Morph mainnet, Morph has 54 ecosystems connected, including some well-known projects, including the launch of "Morph Zoo", "Morph Ecosystem Fund", "Builder Support Program" and "Ambassador Program" and other incubation activities to help its sustainable development. In addition, Vitalik was invited to the popular Token2049 event this year, and many offline events have been held continuously, quickly accumulating users.
Morph has the advantage of EVM compatibility, which can attract Ethereum developers to join seamlessly. In addition, in the Morph operating mechanism, the decentralized sequencer network allows multiple nodes (sequencers) to participate in the packaging and sorting of transactions, rather than a single node controlling it. This allows Morph to find its own innovation point in the Layer 2 red ocean, gradually consolidate its market position, and become a dazzling new star in the Layer 2 field.
Morph has innovated the RVP (responsive validity proof) mechanism, which is similar to being a copywriter in a large company. Originally, you needed 5 levels of review to determine the final version of the content, but now you only need a chief editor who specializes in reviewing the manuscript to review it, which greatly improves efficiency. Compared with the PoW mechanism where workers are charged by piece and the PoS mechanism where the board of directors is centralized, the RVP mechanism truly reduces costs and increases efficiency, and seeks benefits for workers. For Morph, which focuses on consumer-grade Layer 2, it quickly differentiates itself from other Layer 2s, but is it just a "concept gimmick" or an "innovative concept" that benefits the general public? It takes time to verify, after all, it has just been launched on the mainnet.
After the mainnet is launched, Morph will take another important step to achieve complete decentralization of L2 key components. It will also consider the richness of the ecosystem and launch Layer 3 at the right time to achieve a higher level of expansion solutions, striding forward towards the vision of "consumer-grade L2" again.
The current Layer 2 landscape is more like the Three Kingdoms period. Before the world is divided into three parts, no one knows who will survive to the end. Code and users are thousands of troops. If the recruitment speed slows down one day, we must pay attention to security issues.
Safety Tips:
From a security perspective, Morph is currently more promoted in Asia and has stronger resources behind it, but it has less publicity in Europe and the United States, and has not undergone a security audit, so there are still certain risks. From the official Github code library, Morph has been updated from version 0.2.0 to version 0.4.0, and an audit competition was released on September 2, rewarding attacks with 180,000 USDC. After the audit competition, the v0.4.0 version of Morph was released to fix the vulnerability.
One of the vulnerabilities is to fix misleading logs:
This vulnerability refers to identifying and correcting inaccurate, ambiguous, or lacking context in log information in the system or application to ensure that the log can truly and clearly reflect the system status and events. Specific measures include regularly reviewing existing logs, improving logging mechanisms, unifying log formats and level management, using log templates and automation tools, and training team members to follow log writing specifications. By fixing misleading logs, the efficiency of problem diagnosis can be improved, system monitoring and security can be enhanced, development and operation and maintenance processes can be optimized, and communication misunderstandings can be reduced, thereby improving the reliability, maintainability and overall operational benefits of the system.
Another audit content is Challenge state with batch header, which includes:
State Challenge
In Ethereum Layer 2's Rollup system, all transactions are first executed on the second-layer chain, and finally their status is submitted to the main chain (Ethereum main chain). The state challenge refers to verifying whether these states are correct and whether there is an effective mechanism to resolve state inconsistencies or fraud.
For example, in Optimistic Rollup, when submitting a state, the system allows a challenge period during which other users can raise a challenge if they believe the state update is incorrect. This part of the audit will check whether there is a mechanism to correctly handle these challenges and ensure that invalid state updates are not finalized.
Batch Header
Batch Header in the second-layer chain usually refers to the metadata of a batch containing multiple transactions or status updates, similar to the metadata of batch processing. Even without batch processing, the status of the second-layer chain will still be submitted to the main chain in the form of batches. The metadata of these batches (including timestamps, transaction quantities, root hashes, etc.) must be effectively recorded and verified.
Audits check the integrity and accuracy of batch header information to ensure they correctly point to actual status updates and prevent data tampering.
State synchronization and consistency
In the Rollup model of the second-layer chain, the process of challenging the status also involves how to synchronize the status of the second-layer chain and the main chain to ensure that the status of the two chains remain consistent. During the audit, it is necessary to check whether there are loopholes that cause inconsistent status to be accepted or submitted.
For example, in ZK-Rollup, the verification of state updates is performed through zero-knowledge proofs (ZKP), which also need to be checked for correctness through audits.
Preventing malicious activity and fraud
The audit also needs to check whether the second-layer chain system provides sufficient protection mechanisms to prevent malicious users from committing fraud through incorrect state submission or tampering with batch header data. In particular, in Optimistic Rollup, malicious challenges and false state submissions require special attention.
After the audit competition, GAS was optimized and the vulnerabilities were checked and fixed. Friends who are interested in the security of this project can continue to check Morph's official GitHub.
Security is the foundation of Web3 projects. In the era of cryptocurrency consumption where Web2 and Web3 are integrated, continuous iteration is the key to a project's success. In the process of participating in the Morph ecosystem, the Lianyuan Technology Security Team recommends that you must pay attention to your own wallet security. Authorizing too many wallet permissions or project running away may lead to a large loss of assets. You need to check authorization and project progress regularly.
