Security Audit Report for Morph Emerald upgrade

The target of this audit is the code repositories ([1], [2]) of Morph Emerald upgrade.

The Morph Emerald upgrade introduces alternative fee transactions (i.e., AltFeeTx), enabling native multi-token gas payments on the Morph L2 chain. This upgrade allows users to pay gas fees using registered ERC-20 tokens. Specifically, this feature is enabled through the introduction of the L2TokenRegistry contract and corresponding modifications to the Geth codebase. The L2TokenRegistry contract allows managers to register fee tokens and update their associated parameters (e.g., token scale and exchange rate). On the Geth side, the project defines the AltFeeTx transaction type with two key parameters (i.e., FeeTokenID and FeeLimit) and implements the corresponding handling logic, including transaction creation, fee calculation, and fee transfer. Notably, the token information used during transaction processing is fetched directly from the L2TokenRegistry contract. In addition, the Emerald upgrade synchronizes recent Ethereum mainnet updates by introducing new precompiles and opcodes (e.g., CLZ).

Please refer to the report for the detailed audit scope.

Our audit methodology employs automated vulnerability scans, manual verification, and business logic analysis to uncover potential security issues coupled with gas and code quality optimization recommendations.

In summary, we have found that the codebase contains 1 high-risk issues that require prompt attention. In addition, we have identified other non-critical issues as well as security suggestions that should be considered. The Morph Emerald upgrade team has addressed these issues promptly. It is important to note that our audit covers only the final reported versions of the codebase. Any subsequent updates would require a re-evaluation.