Euler / Euler-Bounty
Euler v2 is a modular lending platform with two main components at launch: 1) the Euler Vault Kit (EVK), which empowers builders to deploy and chain together their own customised lending vaults in a permissionless manner; and 2) the Ethereum Vault Connector (EVC), a powerful, immutable, primitive which give vaults superpowers by allowing their use as collateral for other vaults. Together, the EVK and EVC provide the flexibility to build or recreate any type of pre-existing or future-state lending product inside the Euler ecosystem.
Euler Vault Kit:
The Euler Vault Kit is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools.
Ethereum Vault Connector
The Ethereum Vault Connector (EVC) is a foundational layer designed to facilitate the core functionality required for a lending market. It serves as a base building block for various protocols, providing a robust and flexible framework for developers to build upon. The EVC primarily mediates between vaults, contracts that implement the ERC-4626 interface and contain additional logic for interfacing with other vaults. The EVC not only provides a common base ecosystem but also reduces complexity in the core lending/borrowing contracts, allowing them to focus on their differentiating factors.
Euler Price Oracle:
Euler Price Oracle is a library of modular oracle adapters and components that implement IPriceOracle, an opinionated quote-based interface. It supports Chainlink, Chronicle, RedStone Core and Pyth through minimal, immutable adapter contracts. The EulerRouter component is a dispatcher contract that maintains a configuration of resolver oracles with an optional fallback. The router can price ERC4626 shares to assets through convertToAsset, making it a convenient entry point contract for EVK pricing.
Reward Streams:
Reward Streams is a powerful and flexible implementation of the billion-dollar algorithm, a popular method for proportional reward distribution in the Ethereum developer community. This project extends the algorithm's functionality to support both staking and staking-free (based on balance changes tracking) reward distribution, multiple reward tokens, and permissionless registration of reward distribution schemes (reward streams). This makes Reward Streams a versatile tool for incentivizing token staking and holding in a variety of use cases.
Eligibility
To qualify for a reward under this program, you must:
- Identify a previously unknown, non-public vulnerability that hasn't been reported before, identified in the Hats Finance CTF and is within the program's scope.
- Be the first to report the distinct vulnerability, adhering to the disclosure guidelines.
- Provide detailed information that allows our engineers to replicate and resolve the vulnerability.
- Avoid exploiting the vulnerability in any manner, including making it public or profiting from it (except for the program's reward).
- Report the vulnerability privately to us without public disclosure.
- Make every effort to prevent privacy breaches, data destruction, or interruption of the in-scope assets.
- Ensure the vulnerability isn't caused by an underlying issue that has already received a reward under this program.
- Refrain from any illegal activities when disclosing the bug, such as using threats or coercion.
- Be at least 18 years old or, if under 18, submit your finding with parental or guardian consent.
- Not be subject to OFAC sanctions or reside in a country under OFAC embargo.
- Not be a current or former employee, or a vendor or contractor involved in the code's development of the reported bug.
- Adhere to all the program's eligibility requirements.
Scope
This bug bounty focuses on the vaults which are smart contract addresses returned by the verifiedArray() function of the following default perspectives:
- Escrowed Collateral Perspective
- Euler Ungoverned 0x Perspective
- Euler Ungoverned nzx Perspective
- Governed Perspective
Only the contracts in the master/main branch of the following repositories that the above DEPLOYED vaults rely on are in scope:
Website
- Only the following site is in scope https://app.euler.finance
Severity Definitions
Smart Contracts Severity Levels
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood:high | High | High | Medium |
Likelihood:medium | High | Medium | - |
Likelihood:low | Medium | - | - |
High: These can drastically affect many users and result in major reputational, legal, or financial damage. Examples include the ability to permanently lock contracts or withdraw funds from all users. These could also mean broken core functionality.
Medium: These may result in loss of funds for users but under certain conditions and are not easy to perform. Also the reward to cost ratio is not large enough but still need to be fixed. Breaking of functionality or resulting in a DOS of funds for users
Website Severity Levels
High
- Remote code execution
- Unauthorized access to sensitive user data
- Ability to perform actions as a privileged user
- SQL injection
- Cross-Site Scripting (XSS) with significant impact
- Authentication bypass
Medium
- Cross-Site Request Forgery (CSRF)
- Server-side request forgery
- Sensitive information disclosure
Rewards
Rewards for Smart Contract Bugs
Severity Level | Reward |
---|---|
High | $1,000,000.00 |
Medium | $200,000.00 |
Reward Levels
- High: Up to 200,000 USD
- Medium: Up to 50,000 USD
Rewards are calculated by 10% of their economic impact.
Rewards for Web Interface bugs
Severity level | Reward |
---|---|
Critical | $25,000.00 |
High | $5,000.00 |
Medium | $1,000.00 |
Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.
Out of Scope
Contracts
Any previous issue marked as acknowledged/will not fix is not in scope to be reported again. If there has been a fix implemented, the fixed code can be treated as in scope.
-
Issues described in our documentation: in-code comments, in the README and in the whitepapers.
-
Issues found in previous security reviews
-
Issues found in development branches
-
Issues related to deploy scripts or tests
-
Third party integrations not functioning as advertised
-
Issues related to potentially malicious actions taken by Euler DAO controlled entities are considered out of scope as they are assumed to be trusted
-
Issues related to mistakes made by governors/deployers when configuring vaults or price oracles:
- The issue will be considered out of scope if it involves a user or vault actively opting to use something created or controlled by the untrusted actor
-
Issues related to chain re-orgs and network liveness
-
Issues related to alternate networks or L2s are completely to the teams discretion
-
Incompatibilities with ERC-4626 and ERC-20 unless they pose a direct security risk
-
Issues related to non-standard tokens and their behaviors (i.e. weird-tokens)
-
Incorrect hardcoded addresses would be considered low, unless there is a direct loss of funds on deployment from using them.
Euler Price Oracle-Specific
- We are aware that some Price Oracles are not compatible with all networks. RedstoneCoreOracle and LidoOracle only work on Ethereum. ChronicleOracle does not (yet) work on Base and Optimism.
- Issues related to misconfiguration in the constructors, including but not limited to zero addresses, wrong base/quote tokens and invalid decimals.
- Issues related to a malicious/compromised governor in EulerRouter.
- Issues related to misconfiguration in EulerRouter, including but not limited to resolving ERC4626 vaults with an insecure convertToAssets method.
- Issues related to overflows and other math errors must have a demonstrable impact with a concrete scenario.
- Issues related to censorship / frontrunning users that interact with Pyth and RedStone. We expect users to interact with the EVC or another multicall-like contract to update the price and retrieve it in a single call.
- Issues related to using non-crypto price feeds in oracle adapters, including but not limited to Stocks feeds, ETF feeds, Forex feeds and any other feeds that have working hours.
- Issues stemming from sequencer downtime on L2s, including but not limited to inexistent sequencer liveness checks.
- Issues stemming from liveness and catastrophic bugs or malicious behaviour in the integrated oracles, including but not limited to Chainlink upgrades, Chronicle caller whitelist, RedStone signers rotating, Pyth downtime due to Wormhole. By using an oracle users choose to accept those trust assumptions.
Website-Specific
- The website is out of scope until the official of Euler V2 Protocol Launch date.
- Non-security-related bugs such as performance issues or UI glitches.
- Clickjacking on pages with no sensitive actions.
- CSRF vulnerabilities on forms with no sensitive actions.
- Reports from automated tools without a working proof of concept.
- Denial of Service (DoS) attacks.
- Content spoofing and text injection without an attack vector.
- Rate limiting or brute force attacks on non-sensitive endpoints.
- Vulnerabilities in third-party services or dependencies.
- Software version disclosure
- Flaws affecting out-of-date browsers and plugins
- Self XSS
- SSL/TLS issues, such as weak ciphers or BEAST attacks, without a demonstrable impact.
- Cloudflare resources such as /cdn-cgi/ are out of scope w/o demonstrable impact
The following activities and vulnerability types are considered out of scope for this bug bounty program and strictly forbidden:
Physical attacks against our employees, offices, or data centers Social engineering attacks against our employees or users Vulnerabilities in applications or systems not owned by us Vulnerabilities requiring physical access to a user's device Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)
System Roles and Privileges
- Euler DAO: This entity manages the upgrade admin role in GenericFactory (if not revoked), and the admin role in ProtocolConfig, oracle adapter registry, the external vaults registry and the IRM registry
- Vault creators/governors: Anyone can create a vault and optionally retain governance control over it. Governors are responsible for securely configuring their own vaults, and for selecting suitable vaults to use as collateral.
- EulerRouter price governors: These users are responsible for maintaining the pricing sources used for an oracle.
- Synth owners/minters: These users should be considered trusted in the context of managing the synthetic asset and its distribution.
- Regular users: Any other user is considered untrusted.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with or who has ever worked with the Project Entity cannot participate in the Bug Bounty.
Testing Guidelines
To ensure safe and responsible testing:
- Use only your own accounts or test accounts for testing.
- Do not attempt to access, modify, or destroy data that does not belong to you.
- Be mindful of testing that might impact system availability or integrity.
- Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.
If you're unsure whether a specific test is allowed, please contact us before proceeding.
Summary
Status
LiveTotal reward:
$1,000,000 USDC
Start date:
21 Aug 2024 4:00pm (local time)