Onchain lending markets are powerful because they're programmatic, verifiable, and rely purely on code. As we approach Tenor’s launch, we want to share the steps we've taken to secure Tenor’s codebase and how we think about security internally. A strong security track record is the biggest moat a platform like ours can build over time as it lowers the cost of capital for all parties involved, that's why we're investing heavily on security.
We have been big fans of Morpho's approach to building onchain lending infrastructure, minimalist codebases, formal verification, and deep attention to details. For those who have looked at Morpho’s code, it’s a work of craftsmanship. This is why Tenor is built exclusively on the Morpho stack.
We have been building Tenor on top of Morpho Midnight, Morpho’s upcoming fixed-rate, fixed-term lending primitive. Midnight's flexible design lets Tenor extend the protocol’s functionality with custom features while maintaining core protocol guarantees (e.g., position accounting).
Morpho and Tenor smart contracts are immutable and fully non-custodial. Tenor contracts are modular, such that users can opt-in to a subset of contracts when executing advanced flows or when looking to benefit from custom features. For example:
Earn the variable rate on pending lend fixed rate offers
Programmatic auto-renewal of positions before maturity
Programmatic market making for lenders
Create gated markets with custom whitelists
Create markets with liquidation grace periods for borrowers
Circuit breakers on price oracles and renewal flows
While Tenor’s core contracts are immutable, users can still customize renewal policies and markets to include circuit breakers. For example, users have the ability to opt-in to pausable renewal policies giving more flexibility to guard against cybersecurity incidents while not compromising the protocol’s non-custodiality guarantees.
Beyond design, Tenor's contracts have undergone unit and integration testing, as well as fuzzing. Key properties of the contracts have also been formally verified using the Certora Prover. Thanks to Alex Zoid for key contributions on Formal Verification.
Five leading security firms conducted independent reviews of the Tenor contracts:
Blackthorn: Xiaoming90, Hyh, 0xSimao, and 0xApple
Cantina: Saw-mon & Natalie and Rscodes
Guardian: r0bert, Giraffe0x, and Wafflemakr
Blackthorn, Cantina, and TrustSec researchers also audited Midnight beforehand, having a strong understanding of Tenor's main dependency.
Alongside traditional security reviews, Tenor's smart contracts and SDK were analyzed using cutting-edge AI-powered security tools, including Cantina APEX, Zero Cool, and Octane Security.
Tenor is launching a bug bounty program with Sherlock, offering up to $200,000 for critical findings disclosed responsibly. Tenor also uses Blockaid to monitor onchain activity to flag abnormal activity.
We're grateful to every team that helped us get here: the researchers at Blackthorn, Cantina, Guardian, Obsidian, and TrustSec, as well as Alex Zoid. Also, thank you to the Morpho protocol team for their support.
Tenor is launching (very) shortly. For those interested you can find the smart contract repository here and our security documentation here.

