Euler V2 is a modular lending platform with two main components at launch: 1) the Euler Vault Kit (EVK), which empowers builders to deploy and chain together their own customised lending vaults in a permissionless manner; and 2) the Ethereum Vault Connector (EVC), a powerful, immutable, primitive which give vaults superpowers by allowing their use as collateral for other vaults. Together, the EVK and EVC provide the flexibility to build or recreate any type of pre-existing or future-state lending product inside the Euler ecosystem.

Euler Vault Kit:

The Euler Vault Kit is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools.

Ethereum Vault Connector

The Ethereum Vault Connector (EVC) is a foundational layer designed to facilitate the core functionality required for a lending market. It serves as a base building block for various protocols, providing a robust and flexible framework for developers to build upon. The EVC primarily mediates between vaults, contracts that implement the ERC-4626 interface and contain additional logic for interfacing with other vaults. The EVC not only provides a common base ecosystem but also reduces complexity in the core lending/borrowing contracts, allowing them to focus on their differentiating factors.

Euler Price Oracle:

Euler Price Oracle is a library of modular oracle adapters and components that implement IPriceOracle, an opinionated quote-based interface. It supports Chainlink, Chronicle, RedStone Core and Pyth through minimal, immutable adapter contracts. The EulerRouter component is a dispatcher contract that maintains a configuration of resolver oracles with an optional fallback. The router can price ERC4626 shares to assets through convertToAsset, making it a convenient entry point contract for EVK pricing.

Reward Streams:

Reward Streams is a powerful and flexible implementation of the billion-dollar algorithm, a popular method for proportional reward distribution in the Ethereum developer community. This project extends the algorithm's functionality to support both staking and staking-free (based on balance changes tracking) reward distribution, multiple reward tokens, and permissionless registration of reward distribution schemes (reward streams). This makes Reward Streams a versatile tool for incentivizing token staking and holding in a variety of use cases.

Fee Flow:

Fee Flow is an efficient, decentralized, and MEV-resistant mechanism designed to convert fee assets to a single token. It operates using a continuous auto-adjusting Dutch auction mechanism, providing a secure and optimized way to handle fee conversions in blockchain applications. This component helps streamline token economics by efficiently managing the flow of transaction fees across various assets.

Securitize Vaults:

Securitize vaults are ERC-4626-style collateral and savings vaults for permissioned assets integrated into Euler. Known Securitize vaults appear in the public metadata API with type securitize.

Euler Earn:

Euler Earn is an open source protocol for permissionless risk curation on top of ERC4626 vaults (strategies). It functions as an ERC4626 vault itself, allowing risk curators to deploy vaults through its factory. Each vault supports one loan asset and can allocate deposits across multiple strategies. The protocol offers noncustodial, immutable instances that provide users with a streamlined way to supply liquidity and earn passive yield. While initially designed to integrate with the EVK vaults, Euler Earn can work with any ERC4626-compliant vault.

EulerSwap:

EulerSwap v2 is an automated market maker (AMM) built on top of the Euler Vault Kit (EVK) and Ethereum Vault Connector (EVC). It allows liquidity providers to earn swap fees, lending yield, and borrow against their positions within a single account. Each instance is controlled by a single operator, enabling full flexibility over liquidity strategy and AMM configuration. EulerSwap v2 introduces just-in-time (JIT) liquidity, a mechanism that lets vaults borrow output tokens at the time of swap using the input token and vault collateral. This design enables deep liquidity with minimal capital and supports single-sided, asymmetric, and concentrated liquidity strategies. EulerSwap v2 is compatible with Uniswap v4 hooks and offers a composable foundation for capital-efficient trading.

Eligibility

To qualify for a reward under this program, you must:

1. Identify a previously unknown, non-public vulnerability that hasn't been reported before and is within the program's scope.
2. Be the first to report the distinct vulnerability, adhering to the disclosure guidelines.
3. Provide detailed information that allows our engineers to replicate and resolve the vulnerability.
4. Avoid exploiting the vulnerability in any manner, including making it public or profiting from it (except for the program's reward).
5. Report the vulnerability privately to us without public disclosure.
6. Make every effort to prevent privacy breaches, data destruction, or interruption of the in-scope assets.
7. Ensure the vulnerability isn't caused by an underlying issue that has already received a reward under this program.
8. Refrain from any illegal activities when disclosing the bug, such as using threats or coercion.
9. Be at least 18 years old or, if under 18, submit your finding with parental or guardian consent.
10. Not be subject to OFAC sanctions or reside in a country under OFAC embargo.
11. Not be a current or former employee, or a vendor or contractor involved in the code's development of the reported bug.
12. Adhere to all the program's eligibility requirements.

Scope

This bug bounty focuses on vaults that Euler's production app considers known for a given network, and the contracts those vaults directly rely on. Use the public is-known endpoint to check vault scope:

curl 'https://app.euler.finance/api/public/is-known?chainId=1&addresses=<vault-address>'

The endpoint returns a per-address verification verdict. Omitting addresses returns the known vault set for the requested chain. See the Euler Lite public API documentation for request limits, caching, address casing rules, and response details.

is-known reflects label and governance consistency only. It does not assert that a vault configuration, oracle setup, IRM, hooks, liquidity, or broader market conditions are safe. Those risk and configuration questions are governed by the rest of the program scope, severity, and out-of-scope rules.

Network Addresses

For the most up-to-date deployment addresses across various networks, please refer to the Euler Docs Contract Addresses. This website serves as the central source of truth for deployed component and factory addresses. Use https://app.euler.finance/api/euler-chains to discover chain deployment configs and their chainId values. For vault-address scope, use https://app.euler.finance/api/public/is-known?chainId=<chainId>.

Steps for Security Researchers

1. Access the Documentation: Visit the Euler Docs Contract Addresses to view all available network tabs.
2. Identify Relevant Networks: Explore the tabs to identify deployed Euler component and factory addresses, or query https://app.euler.finance/api/euler-chains and use the returned chainId values.
3. Check Vault Scope: Query https://app.euler.finance/api/public/is-known?chainId=<chainId> for known vaults on the target network, or include addresses=<comma-separated-addresses> to check specific vaults.
4. Inspect Vault Metadata When Needed: Query https://app.euler.finance/api/public/metadata?chainId=<chainId>&addresses=<comma-separated-addresses> for display metadata and vault type. The metadata endpoint does not replace the is-known verification verdict.
5. Stay Updated: Regularly check the documentation and public API, as new network deployments and known vaults may be added over time.

This approach gives security researchers access to current deployed component addresses and the current vault verification source, so scope can adapt to new deployments and known vaults as they are added.

Repositories in Scope

Only the contracts in the following repositories that the in-scope deployed vaults or deployed Euler components directly rely on are in scope:

• Ethereum Vault Connector
• Euler Vault Kit
• Euler Price Oracle
• Reward Streams
• Fee Flow
• Euler Earn
• EulerSwap
• Securitize Collateral Vault

Note: - For Ethereum Mainnet and Base please refer to this commit deployment Euler Vault Kit Mainnet/Base and for any other network Euler Vault Kit

Websites in Scope

• Only the following site is in scope https://app.euler.finance

Severity Definitions

Smart Contracts Severity Levels

High: These can drastically affect many users and result in major reputational, legal, or financial damage. Examples include the ability to permanently lock contracts or withdraw funds from all users. These could also mean broken core functionality.

Medium: These may result in loss of funds for users but under certain conditions and are not easy to perform. Also the reward to cost ratio is not large enough but still need to be fixed. Breaking of functionality or resulting in a DOS of funds for users

Website Severity Levels

High

• Remote code execution
• Unauthorized access to sensitive user data
• Ability to perform actions as a privileged user
• SQL injection
• Cross-Site Scripting (XSS) with significant impact
• Authentication bypass

Medium

• Cross-Site Request Forgery (CSRF)
• Server-side request forgery
• Sensitive information disclosure

Rewards

Core Components Rewards

These rewards apply to vulnerabilities found in the core components of Euler V2 (EVC, EVK, EPO). The bug bounty focuses specifically on known EVK-family vaults returned by https://app.euler.finance/api/public/is-known?chainId=<chainId>, and the contracts those vaults directly rely on.

Core Components Reward Levels

• High: Up to $5,000,000.00 USD, minimum payout $200,000.00 USD
  • First $2,500,000.00 paid in USDC
  • Next $2,500,000.00 paid in rEUL
• Medium: Up to $200,000.00 USD, minimum payout $50,000.00 USD

Notes:

• Rewards are calculated as 10% of their economic impact.
• The team may adjust the program after a high-severity payout to ensure sustainability.
• rEUL token is valued using a retrospective 30-day volume-weighted average price (TWAP) of EUL on CoinMarketCap from the date of the disclosure.

Examples:

• A $1,250,000.00 reward would be paid entirely in USDC.
• A $3,500,000.00 reward would be paid as $2,500,000.00 in USDC and $1,000,000.00 in rEUL

Boosted Rewards for Usual Stability Loan Vaults

If a vulnerability qualifies for the Euler Core Components Rewards and also affects the Usual Stability Loan (USL) vaults, Usual have generously offered to increase the reward by an additional $2.5 million in USUAL tokens. This brings the total potential reward to $7.5 million.

Vaults included

The USL vaults on Ethereum Mainnet:

• USD0++: 0xF037eeEBA7729c39114B9711c75FbccCa4A343C8
• USD0: 0xd001f0a15D272542687b2677BA627f48A4333b5d

Core Components Reward Levels

• High: Up to $7,500,000.00 USD, minimum payout $200,000.00 USD
  • First $2,500,000.00 paid in USDC
  • Next $2,500,000.00 paid in rEUL
  • Next $2,500,000.00 paid in USUAL
• Medium: Up to $200,000.00 USD, minimum payout $50,000.00 USD

Notes:

• Rewards are calculated as 10% of their economic impact.
• The team may adjust the program after a high-severity payout to ensure sustainability.
• Any rEUL or USUAL tokens will be priced using their respective retrospective 30-day volume-weighted TWAPs on CoinMarketCap from the date of the disclosure.

Examples:

• A $1,250,000.00 reward would be paid entirely in USDC.
• A $3,500,000.00 reward would be paid as $2,500,000.00 in USDC and $1,000,000.00 in rEUL
• A $5,500,000.00 reward would be paid as $2,500,000.00 in USDC and $2,500,000.00 in rEUL and $500,000.00 in USUAL

Supporting Components Rewards

These rewards apply to vulnerabilities found in Fee Flow, Reward Streams, and known Securitize vaults officially deployed or listed by Euler. Use https://app.euler.finance/api/public/metadata?chainId=<chainId> to identify Securitize vaults by type: "securitize".

Supporting Components Reward Levels

• High: Up to $100,000.00 USD, minimum payout $25,000.00 USD
• Medium: Up to $25,000.00 USD, minimum payout $5,000.00 USD

Notes:

• Rewards are calculated as 10% of their economic impact.
• For Securitize vault findings, if the KYC access requirement is not bypassed or compromised, the maximum impact is Medium.
• The team may adjust the program after a high-severity payout to ensure sustainability.

Euler Earn Rewards

These rewards apply specifically to vulnerabilities found in the Euler Earn protocol. The bug bounty focuses specifically on known Euler Earn vaults returned by https://app.euler.finance/api/public/is-known?chainId=<chainId>, and the contracts those vaults directly rely on. Use https://app.euler.finance/api/public/metadata?chainId=<chainId> when you need to distinguish Earn vaults from other known vault types.

Euler Earn Reward Levels

• High: Up to $500,000.00 USD, minimum payout $100,000.00 USD
• Medium: Up to $100,000.00 USD, minimum payout $25,000.00 USD

Notes:

• Rewards are calculated as 10% of their economic impact.
• The team may adjust the program after a high-severity payout to ensure sustainability.

Euler Swap Rewards

These rewards apply specifically to vulnerabilities found in the Euler Swap v2 protocol. The bug bounty focuses specifically on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the pools() function of the Euler Swap v2 Factory.

Euler Swap Reward Levels

• High: Up to $250,000.00 USD, minimum payout $50,000.00 USD
• Medium: Up to $50,000.00 USD, minimum payout $10,000.00 USD

Notes:

• Rewards are calculated as 10% of their economic impact.
• The team may adjust the program after a high-severity payout to ensure sustainability.

Rewards for Web Interface Bugs

Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.

Out of Scope

Contracts

Any previous issue marked as acknowledged/will not fix is not in scope to be reported again. If there has been a fix implemented, the fixed code can be treated as in scope.

• Issues described in our documentation: in-code comments, in the README and in the whitepapers.
• Issues found in previous security reviews
• Issues found in development branches
• Issues related to deploy scripts or tests
• Third party integrations not functioning as advertised
• Issues related to potentially malicious actions taken by Euler DAO controlled entities are considered out of scope as they are assumed to be trusted
• Issues related to mistakes made by governors/deployers when configuring vaults or price oracles:
  • The issue will be considered out of scope if it involves a user or vault actively opting to use something created or controlled by the untrusted actor
• Issues related to chain re-orgs and network liveness
• Incompatibilities with ERC-4626 and ERC-20 unless they pose a direct security risk
• Issues related to non-standard tokens and their behaviors (i.e. weird-tokens)
• Incorrect hardcoded addresses would be considered low, unless there is a direct loss of funds on deployment from using them.

Euler Price Oracle-Specific

• We are aware that some Price Oracles are not compatible with all networks. For example, RedstoneCoreOracle and LidoOracle only work on Ethereum.
• Issues related to misconfiguration in the constructors, including but not limited to zero addresses, wrong base/quote tokens and invalid decimals.
• Issues related to a malicious/compromised governor in EulerRouter.
• Issues related to misconfiguration in EulerRouter, including but not limited to resolving ERC4626 vaults with insecure convertToAssets method.
• Issues related to overflows and other math errors must have a demonstrable impact with a concrete scenario.
• Issues related to censorship / frontrunning users that interact with Pyth and RedStone. We expect users to interact with the EVC or another multicall-like contract to update the price and retrieve it in a single call.
• Issues related to using non-crypto price feeds in oracle adapters, including but not limited to Stocks feeds, ETF feeds, Forex feeds and any other feeds that have working hours.
• Issues stemming from sequencer downtime on L2s, including but not limited to inexistent sequencer liveness checks.
• Issues stemming from liveness and catastrophic bugs or malicious behaviour in the integrated oracles, including but not limited to Chainlink upgrades, Chronicle caller whitelist, RedStone signers rotating, Pyth downtime due to Wormhole. By using an oracle users choose to accept those trust assumptions.
• Accurate and manipulation-resistant asset pricing is the responsibility of the vault governor. Such issues are not eligible for an Euler bug bounty unless they involve critical flaws in Euler-specific code. Therefore, issues related to pricing on a specific vault—such as exchange-rate manipulation through donation attacks or spot price manipulation—are considered out of scope.

Euler Swap v2-Specific

• Impermanent loss or market-making losses caused by price divergence between paired assets. LPs are responsible for managing this intrinsic AMM risk.
• Arbitrage losses caused by mispriced, stale, or intentionally asymmetric curve parameters. Arbitrage is an intended characteristic of AMMs and is not a protocol flaw by itself.
• Strategies leading to anticipated economic losses due to operator-selected AMM parameters, including tight curves, asymmetric fees, minimum reserves, single-sided liquidity, or inadequate hedging.
• Losses from using EulerSwap v2 with improperly governed or misconfigured vaults, including vaults with insecure oracles, weak collateral setups, unsupported vault behavior, or non-standard token behavior.
• Unfavorable borrowing costs, interest accrual, or liquidation risk created by just-in-time (JIT) liquidity or by using vault assets as collateral for broader strategies.
• Misuse or misconfiguration of pool owner, manager, EVC operator, or operator-controlled swap-hook contracts, including incorrect reconfiguration, flawed hedging logic, or hooks that intentionally reject swaps.
• Gas inefficiencies or failed transactions caused by operator-selected AMM settings, including extreme curve settings, deep virtual reserves, concentrated liquidity bounds, disabled swap directions, or expired pools.
• Inaccurate or unintended swap outcomes caused only by rounding, slippage settings, or operator-controlled swap-hook behavior, unless they demonstrate a critical exploit in EulerSwap v2 protocol logic.
• General price impact from large trades, even when prices deviate significantly from oracle rates. EulerSwap v2 uses operator-configured curve parameters and does not guarantee oracle-aligned pricing or TWAP execution.
• Issues originating from Uniswap v4 core/periphery, external routers, other Uniswap v4 hooks, or routing infrastructure not developed or maintained by Euler Labs. Bugs in EulerSwap v2 protocol-owned Uniswap v4 hook integration remain in scope.
• Losses occurring from unsafe integrations with third-party smart contracts or user-developed hooks, including integrations that lack appropriate reentrancy protection.
• Issues related only to the EulerSwap v2 registry challenge flow, including challenge classification, accepted failure types, pool removal, and validity-bond forfeiture or recovery.
• Issues where the sole impact is incorrect quotes or limits returned by view functions (e.g., getLimits, computeQuote) that do not result in direct loss of user funds.

Website-Specific

• Non-security-related bugs such as performance issues or UI glitches.
• Clickjacking on pages with no sensitive actions.
• CSRF vulnerabilities on forms with no sensitive actions.
• Reports from automated tools without a working proof of concept.
• Denial of Service (DoS) attacks.
• Content spoofing and text injection without an attack vector.
• Rate limiting or brute force attacks on non-sensitive endpoints.
• Vulnerabilities in third-party services or dependencies.
• Software version disclosure
• Flaws affecting out-of-date browsers and plugins
• Self XSS
• SSL/TLS issues, such as weak ciphers or BEAST attacks, without a demonstrable impact.
• Cloudflare resources such as /cdn-cgi/ are out of scope w/o demonstrable impact

The following activities and vulnerability types are considered out of scope for this bug bounty program and strictly forbidden:

Physical attacks against our employees, offices, or data centers Social engineering attacks against our employees or users Vulnerabilities in applications or systems not owned by us Vulnerabilities requiring physical access to a user's device Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)

System Roles and Privileges

• Euler DAO: This entity manages the upgrade admin role in GenericFactory (if not revoked) and the admin role in ProtocolConfig.
• Euler Labs: This entity manages oracle adapter registry, the external vaults registry and the IRM registry and well as other day-to-day operations of the protocol.
• Vault creators/governors: Anyone can create a vault and optionally retain governance control over it. Governors are responsible for securely configuring their own vaults, and for selecting suitable vaults to use as collateral.
• EulerRouter governors: These users are responsible for maintaining the pricing sources used by the vaults.
• Synth owners/minters: These users should be considered trusted in the context of managing the synthetic asset and its distribution.
• Regular users: Any other user is considered untrusted.

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Conflict of Interest: any employee or contractor working with or who has ever worked with the Project Entity cannot participate in the Bug Bounty.
  • With the exception that former external contractors, specifically Security Auditors/Researchers, are eligible for findings on Core Components(EVK, EVC, and EPO). Current employees, former employees, and contractors with active engagements remain excluded. Euler reserves the right to determine if there is a conflict of interest on a case-by-case basis.

Testing Guidelines

To ensure safe and responsible testing:

1. Use only your own accounts or test accounts for testing.
2. Do not attempt to access, modify, or destroy data that does not belong to you.
3. Be mindful of testing that might impact system availability or integrity.
4. Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.

If you're unsure whether a specific test is allowed, please contact us before proceeding.