This project performs READ-ONLY analysis of public on-chain vault state. It does not custody keys, sign transactions, or submit anything to a blockchain. The risk surface is limited to:
- Incorrect risk metric outputs that mislead a curator into a wrong parameter change. This is the primary concern.
- Pydantic / parsing errors that crash the CLI on malformed API responses.
- Outdated dependency CVEs in the runtime dependencies.
If you find a math bug that materially changes a detector's headline metric, a Pydantic / parsing failure on a real-world Morpho API response, or any issue where this framework would lead a curator to a wrong action, please open a private security advisory via GitHub Security Advisories rather than a public issue. I respond within ~7 days.
For non-security bugs, please open a regular GitHub issue.
The latest main branch is the only supported version. Tagged releases are
snapshots for reference; no patch backports.
- Anything in
data/fixtures/*.json— these are illustrative synthetic values, not authoritative on-chain data. - The Chart.js CDN load in HTML reports. Pin the version locally if your environment requires it.