Introduction
This Report aims to be solely a code comparison from PancakeSwapV3 → to Morphex →. As such, it should not be considered a security assessment: it is not proof or guarantee that the scope of this document is secure or behaves as expected.
The reviewed Morphex → codebase consists of a fork of PancakeSwapV3 →, with additional changes introduced by Lumia's development team. Such changes will be presented through the Observations sections of the present report as Observation elements.
It should be noted that there is no guarantee that the implemented changes are correct or sufficient to make the system work and be reliable, to be flaw-less or free of vulnerabilities and attack vectors. In order to be certain, it is recommended to conduct a security assessment and include the corresponding tests to make sure the system behaves as expected.
We express our gratitude to the Lumia team for the collaborative engagement that enabled the execution of this Smart Contract Code Difference Assessment.
MorphexV3 is a decentralized exchange (DEX) protocol. MorphexV3 allows you to swap cryptocurrencies immediately. You can switch between any two BEP-20 tokens directly with your wallet. This protocol was built using an automated market maker (AMM) model of concentrated liquidity. MorphexV3 trade pairs are represented by liquidity pools. These liquidity pools are filled with funds provided by users, who are called MorphexV3 (LPs).
A high-level overview of MorphexV3 main features includes swapping, yield farming, and staking.
Document
- Name
- Smart Contract Code Difference Evaluation Report for Lumia
- Audited By
- David Camps Novi
- Approved By
- Ataberk Yavuzer
- Website
- https://lumia.org/→
- Changelog
- 14/02/2025 - Final Report
- Platform
- Lumia
- Language
- Solidity
- Tags
- Decentralized Exchange (DEX), Fork
Review Scope
- Commit
- 9deec19
Audit Summary
The system users should acknowledge all the risks summed up in the risks section of the report.
System Overview
MorphexV3 is a decentralized exchange (DEX) protocol. MorphexV3 allows you to swap cryptocurrencies immediately. You can switch between any two BEP-20 tokens directly with your wallet. This protocol was built using an automated market maker (AMM) model of concentrated liquidity. MorhexV3 trade pairs are represented by liquidity pools. These liquidity pools are filled with funds provided by users, who are called MorphexV3 (LPs).
A high-level overview of MorphexV3's main features includes swapping, yield farming, and staking.
Potential Risks
This presented document is a code comparison from PancakeSwapV3 → to Morphex, but it is not a security assessment. As such, this document should not be considered a proof or guarantee that the reviewed code works or it is secure.
The Morphex codebase is a fork of PancakeSwapV3 →, where the changes introduced were aimed to make the system compatible with the solidity version 0.8.24and update the PancakeSwap-related names to Morphex naming (e.g. CAKE changed to rewardToken). However, even there is no guarantee that the implemented changes are correct or sufficient to make the system work and be reliable. In order to be more certain, it is recommended to fully test the system to make sure the system behaves as expected.
As a fork of PancakeSwapV3 →, the current Morphex codebase shares the same flaws as the forked system. Thus, it is recommended to keep track of Pancake's vulnerability track and any past hacks, in order to be robust to them. Additionally, the new changes introduced for compatibility may introduce new vulnerabilities to the Morphex system.
Findings
Code ― | Title | Status | Severity | |
|---|---|---|---|---|
F-2025-8801 | Added int() and uint() Operations | Fixed | Observation | |
F-2025-8798 | Updated @openzeppelin Imports Path | Fixed | Observation | |
F-2025-8796 | Changed References of Cake to Reward Token | Fixed | Observation | |
F-2025-8794 | Updated References from "Pancake" to "Morphex" | Fixed | Observation | |
F-2025-8793 | Imports from @pancakeswap Changed to Local Imports | Fixed | Observation | |
F-2025-8760 | Upgrade of the Pragma Version | Fixed | Observation |
Appendix 2. Scope
The scope of the project includes the following smart contracts from the provided repository:
Scope Details
- Commit
- 9deec19
- Whitepaper
- N/A
- Requirements
- N/A
- Technical Requirements
- N/A
Assets in Scope
./masterchef-v3/libraries/SafeCast.sol./masterchef-v3/MasterChefV3.sol./v3-core/libraries/FullMath.sol./v3-core/libraries/LowGasSafeMath.sol./v3-core/libraries/SafeCast.sol./v3-core/libraries/TickBitmap.sol./v3-core/libraries/TickMath.sol./v3-core/MorphexV3Factory.sol./v3-core/MorphexV3Pool.sol./v3-core/MorphexV3PoolDeployer.sol./v3-lm-pool/libraries/LmTick.sol./v3-lm-pool/MorphexV3LmPool.sol./v3-lm-pool/MorphexV3LmPoolDeployer.sol