Risks

The summary below highlights the risks most relevant to users of the Tenor interface; it is not exhaustive. The full legal disclosure is available in the Platform Risks document.

Market and oracle risks

Price volatility and depegs

The value of any token used as collateral or as a loan asset can move sharply. Stablecoins can lose their peg. Sudden price moves can push a borrow position into liquidation and reduce the realizable value of collateral.

Oracle inaccuracy or manipulation

Each market relies on a price oracle for collateral valuation. If the oracle returns a stale, incorrect, or manipulated price, a position may be liquidated improperly, or a borrower's position may remain open while undercollateralized. Cross-check oracle prices against external sources before time-sensitive actions.

Onchain illiquidity

Reselling a lend position, repaying a borrow early, or exiting before maturity depends on counterparties being present onchain. In thin markets you may be unable to exit at the price you expect, or at all, until maturity.

Borrowing and liquidation risks

Liquidation

A borrow position can be liquidated without warning whenever its LTV crosses the market's LLTV, or when debt remains unpaid past maturity. Liquidations may be partial or total, may apply a penalty, and during congestion or oracle delays may execute at prices significantly worse than expected. Attempts to add collateral may fail in the same conditions. Cascading liquidations across positions are possible.

Grace periods are not a guarantee

Where a market offers a grace period before liquidation, it depends on a third party submitting a trigger transaction, adding collateral or repaying during the grace period does not automatically prevent liquidation, and the grace period is a one-time buffer per initiation, not a continuous protection.

Bad debt and loss socialization

If a borrower's position becomes insolvent (debt exceeds collateral value even after liquidation), the shortfall is socialized across all lenders in the same Morpho market. Your lend position can lose value because of another participant's default, not because of any action of your own.

Collateral composition

A market may accept or be affected by multiple collateral types, vault shares, wrapped or derivative assets, even when the interface highlights only one. Where vault shares are accepted as collateral, losses in the underlying vault can propagate to the market, including to lenders whose borrower counterparties posted a different collateral asset. Review every collateral exposure in a market, not only the asset you see in the interface.

Renewal, rollover, and contingent orders

Auto-renewal may not execute

Auto-renewal depends on a third party (keeper or solver) submitting the onchain transaction to roll your position. If no third party finds the renewal economically viable (due to market conditions, network fees, or other reasons), the position will not be renewed and may mature, expire, or become liquidatable. Do not assume a rollover will execute simply because you configured it.

Renewal gates

If you opt in to a renewal gate restricting which addresses may roll your position, no authorized party may be available when needed. A gate may also be activated as a pause mechanism in response to a security event, which equally prevents your position from rolling during the suspension.

Contingent orders

Limit and other contingent orders may not execute at all, or may execute differently from a centralized exchange-style order, because they depend on onchain conditions and third-party execution. Multiple contingent orders with overlapping conditions can fire simultaneously and produce a position different from any one of them individually.

Smart contract and protocol risks

Smart contract bugs

Tenor, the Morpho Protocol, and the surrounding contracts (bundlers, adapters, ratifiers, callback contracts) are software and may contain bugs, novel exploits, or interactions that cause partial or total loss of funds. Onchain failures are often irreversible.

Morpho Protocol dependency

Tenor is built on the Morpho Protocol, developed by a third party. Insufficient liquidity, repositioning limits, market unavailability, composability failures, or protocol changes within Morpho can cause expected transactions (rollovers, auto-close, liquidations) to fail and can result in losses.

Token approvals and protocol authorizations

Using Tenor requires token approvals (including unlimited allowances or permit signatures) and protocol-level authorizations that let contracts such as the Tenor Bundler, adapters, ratifiers, and callback contracts act on your behalf (supplying or withdrawing collateral, repaying debt, executing renewals). These authorizations persist until you explicitly revoke them. Review and revoke authorizations you no longer need.

Bundle execution

When the Tenor Bundler executes multiple operations in a single transaction, verify the contents of the bundle before signing. A malicious or compromised interface could construct a bundle that grants authorizations, transfers assets, or modifies positions in ways you did not intend. Hardware wallets and transaction simulation help.

MEV and frontrunning

Some onchain transactions can be exposed to MEV bots or frontrunning that may affect execution price.

Custom configurations

Custom orders and OTC parameters

Custom orders, custom OTC offers, custom vault rules, signer permissions, allowlists, adapters, and other user-controlled settings can be easier to misconfigure than standard markets. Always double-check parameters and consider a test transaction first. Interface guardrails may not catch your error.

Non-custodial vaults and multisignature wallets

Morpho non-custodial vaults and Safe multisignature wallets created or managed through Tenor are controlled entirely by their signers and configurations: signers, thresholds, allowlists, permissions, adapters, modules, allocation instructions, and risk settings. Misconfiguration can cause permanent loss of access, blocked withdrawals, or forced liquidations, and cannot be reversed by Tenor.

Market and vault gates

Markets and vaults may use smart contract gates restricting which addresses can lend, borrow, liquidate, deposit, withdraw, or receive shares. A gate may be misconfigured, changed by an owner, or made immutable. If a gate prevents you from withdrawing or exiting, you may be unable to take time-sensitive action, up to the total loss of your assets. Verify gate configuration before depositing.

Wallet, device, and recovery risks

Device and key security

Tenor cannot recover the keys of an external wallet you connect. If you lose access to recovery options for an embedded wallet (e.g., Privy authentication via email or phone), access to that wallet and any assets it controls may be permanently lost. Offline backups of private keys and seed phrases mitigate this.

Be cautious of messages, emails, or social posts impersonating Tenor, integrated third parties, or counterparties. Official channels can also be compromised. Verify contract addresses and instructions through multiple independent sources before transacting. Tenor support will never ask for private keys or seed phrases.

Cybersecurity attacks on Tenor itself

Frontends, SDKs, APIs, and supporting infrastructure may be targeted by attacks (DNS hijacking, supply chain compromise, malicious transaction substitution, credential theft). No software is fully secure. Verify URLs and package sources, use hardware wallets where appropriate, and review every transaction before signing.

Network and operational risks

Network, node, and sequencer failures

Tenor relies on public blockchain networks. Node delays, chain reorganizations, hard forks, and sequencer downtime on L2s can delay or prevent transactions, including time-sensitive actions like adding collateral or closing a position to avoid liquidation.

Network congestion and gas

Critical actions such as adding collateral may have to be executed at high gas prices during congestion. Gas estimates shown in the interface may be inaccurate, and a transaction can fail even where the interface predicted success.

Service interruption

The Tenor interface may be temporarily unavailable due to maintenance, upgrades, or attacks. In such cases you may need to interact with the Morpho Protocol directly, or may miss an alert from Tenor.

Monitoring tools are not guarantees

Monitoring features in Tenor are provided as a convenience and may not function correctly. Tracking the state of your positions and responding to onchain events ultimately depends on you.

Estimates and displayed numbers

Rates, slippage estimates, projected outcomes, and other numbers in the interface are estimates and may differ from actual results. Displayed numbers are not suitable for tax reporting.

Third-party and counterparty risks

Bridges, DEXs, and integrated onchain services

Tenor may integrate with bridges, decentralized exchanges, and other onchain utilities operated by third parties. These have their own security models and prior history of failures.

Third-party services and infrastructure

Tenor depends on third parties including the Morpho Protocol, Privy, Safe, oracle providers, bridges, RPC providers, and other infrastructure. A security failure or compromise of any of these can cause or amplify losses, even if Tenor itself is functioning correctly.

Messaging and counterparties

If you use Tenor messaging tools (for example, for OTC quotes or indications of interest), counterparties may be unresponsive, dishonest, or technically defective. Tenor does not verify counterparty identity, solvency, or compliance. Wallet addresses, signatures, and links shared through messaging may be inaccurate or malicious; verify independently before acting.

Customer support

Customer support communications, including from AI systems, can be erroneous. Verify any guidance against official documentation. Real Tenor support will never ask for private keys, seed phrases, or assets.

Mitigation

Common steps that reduce exposure to the risks above: monitor your positions, maintain sufficient collateral, verify URLs and contract addresses, review transaction details before signing, use hardware wallets where appropriate, keep secure backups of keys and recovery credentials, revoke token approvals and protocol authorizations you no longer need, and verify the authenticity of any communication that claims to come from Tenor.

For the full risk disclosure, see Platform Risks.

Market and oracle risks​

Price volatility and depegs​

Oracle inaccuracy or manipulation​

Onchain illiquidity​

Borrowing and liquidation risks​

Liquidation​

Grace periods are not a guarantee​

Bad debt and loss socialization​

Collateral composition​

Renewal, rollover, and contingent orders​

Auto-renewal may not execute​

Renewal gates​

Contingent orders​

Smart contract and protocol risks​

Smart contract bugs​

Morpho Protocol dependency​

Token approvals and protocol authorizations​

Bundle execution​

MEV and frontrunning​

Custom configurations​

Custom orders and OTC parameters​

Non-custodial vaults and multisignature wallets​

Market and vault gates​

Wallet, device, and recovery risks​

Device and key security​

Social engineering and impersonation​

Cybersecurity attacks on Tenor itself​

Network and operational risks​

Network, node, and sequencer failures​

Network congestion and gas​

Service interruption​

Monitoring tools are not guarantees​

Estimates and displayed numbers​

Third-party and counterparty risks​

Bridges, DEXs, and integrated onchain services​

Third-party services and infrastructure​

Messaging and counterparties​

Customer support​

Mitigation​