Euler v2 is a modular lending platform with two main components at launch: 1) the Euler Vault Kit (EVK), which empowers builders to deploy and chain together their own customised lending vaults in a permissionless manner; and 2) the Ethereum Vault Connector (EVC), a powerful, immutable, primitive which give vaults superpowers by allowing their use as collateral for other vaults. Together, the EVK and EVC provide the flexibility to build or recreate any type of pre-existing or future-state lending product inside the Euler ecosystem.

Euler Vault Kit:

The Euler Vault Kit is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools.

Users can borrow from a credit vault as long as they have sufficient collateral deposited in other credit vaults. The liability vault (the one that was borrowed from) decides which credit vaults are acceptable as collateral. Interest is charged to borrowers by continuously increasing the amount of their outstanding liability and this interest results in yield for the depositors.

Vaults are integrated with the Ethereum Vault Connector contract (EVC), which keeps track of the vaults used as collateral by each account. In the event a liquidation is necessary, the EVC allows a liability vault to withdraw collateral on a user's behalf.

The EVC is also an alternate entry-point for interacting with vaults. It provides multicall-like batching, simulations, gasless transactions, and flash liquidity for efficient refinancing of loans. External contracts can be invoked without needing special adaptors, and all functionality is accessible to both EOAs and contract wallets. Although each address is only allowed one outstanding liability at any given time, the EVC provides it with 256 virtual addresses, called sub-accounts (from here on, just accounts). Sub-account addresses are internal to the EVC and compatible vaults, and care should be taken to ensure that these addresses are not used by other contracts.

The EVC is responsible for authentication, and vaults are responsible for authorisation. For example, if a user attempts to redeem a certain amount, the EVC makes sure the request actually came from the user, and the vault makes sure the user actually has this amount.

Ethereum Vault Connector

The Ethereum Vault Connector (EVC) is a foundational layer designed to facilitate the core functionality required for a lending market. It serves as a base building block for various protocols, providing a robust and flexible framework for developers to build upon. The EVC primarily mediates between vaults, contracts that implement the ERC-4626 interface and contain additional logic for interfacing with other vaults. The EVC not only provides a common base ecosystem but also reduces complexity in the core lending/borrowing contracts, allowing them to focus on their differentiating factors.

Euler Price Oracles:

Euler Price Oracles is a library of modular oracle adapters and components that implement IPriceOracle, an opinionated quote-based interface. It supports Chainlink, Chronicle, RedStone Core and Pyth through minimal, immutable adapter contracts. The EulerRouter component is a dispatcher contract that maintains a configuration of resolver oracles with an optional fallback. The router can price ERC4626 shares to assets through convertToAsset, making it a convenient entry point contract for EVK pricing.

Reward Streams:

Reward Streams is a powerful and flexible implementation of the billion-dollar algorithm, a popular method for proportional reward distribution in the Ethereum developer community. This project extends the algorithm's functionality to support both staking and staking-free (based on balance changes tracking) reward distribution, multiple reward tokens, and permissionless registration of reward distribution schemes (reward streams). This makes Reward Streams a versatile tool for incentivizing token staking and holding in a variety of use cases.

Prize distribution and scoring

• Primary Prize Pool: $1,150,000

• Formal Verification Prize pool: $100,000

• The Primary prize pool distribution has 3 possible triggers:

  • If one or more valid low severity findings are found, the total pot size is $20,000
  • If one or more valid medium severity findings are found, the total pot size is $200,000
  • If one or more valid high severity findings are found, the total pot size is $1,150,000

• $20,000 of the prize pot is reserved for Low Severity findings. These reports are judged based on quality and reviewers are then ranked from 1st to 5th for the purpose of prize allocation.

  • 1st: $10,000
  • 2nd: $5,000
  • 3rd: $2,500
  • 4th: $1,250
  • 5th: $1,250

Note that for Low findings, we want to encourage high-quality non-trivial submissions. Given that the codebase has gone through multiple reviews before, and due to the large number of participants, we’ll be marking any trivial low / info findings as invalid (these are typically findings generated from a static-analyzer). To reiterate, the above pot is judged on quality alone and not quantity.

• Formal Verification prize Pool:
  • $100k is reserved for the formal verification pool. Full details on the here
• Scoring described in the competition scoring page.
• Findings Severities described in detail on our docs page.

Documentation

Links

• EVC
• Euler Documentation

White Papers

• EVC
• EVK
• Price Oracles
• Reward Streams

Specs

• EVC
• EVK

Audit Reports/Security Reviews

EVC

• Audit Reports Directory
  • Certora
  • ChainSecurity
  • Hunter Security
  • Omniscia (PDF) or Omniscia (Web)
  • OpenZeppelin
  • Spearbit
  • Trail of Bits
  • yAudit EVK + EVC + EPO
  • yAudit (Jan 2024)

EVK

• Audit Reports Directory
  • Certora
  • ChainSecurity (preliminary findings)
  • Omniscia (Web)
  • OpenZeppelin
  • yAudit
  • Spearbit (draft)

Price Oracle

• Audit Reports Directory
  • ChainSecurity
  • Omniscia (Web) or Omniscia (PDF)
  • OpenZeppelin
  • yAudit
  • Spearbit (draft)

Reward Streams

• Audit Reports Directory
  • Hunter Security
  • MixBytes

Scope

Walkthrough

• [EVC]
• [EVK]
• Price Oracle

Contracts

• EVC
  • Commit: f791f94e6e790dd82041908983b57412dc04fb84
  • Total LOC: 980
  • Files:

File	Lines	nLines	nSLOC	Comments
ethereum-vault-connector/src/utils/EVCUtil.sol	109	109	63	34
ethereum-vault-connector/src/EthereumVaultConnector.sol	1236	1126	603	305
ethereum-vault-connector/src/Set.sol	310	307	170	85
ethereum-vault-connector/src/ExecutionContext.sol	90	90	54	19
ethereum-vault-connector/src/interfaces/IERC1271.sol	15	14	3	9
ethereum-vault-connector/src/interfaces/IEthereumVaultConnector.sol	434	48	18	297
ethereum-vault-connector/src/interfaces/IVault.sol	33	16	3	23
ethereum-vault-connector/src/TransientStorage.sol	51	51	19	23
ethereum-vault-connector/src/Events.sol	80	80	22	46
ethereum-vault-connector/src/Errors.sol	50	50	25	22
Totals	2408	1891	980	863

• Euler Vault Kit

  • Commit: f6fd0ee3b454630abd961d6471beb0c7eaf1216a
  • Total LOC: 3093
  • Files:

File	Lines	nLines	nSLOC	Comments
euler-vault-kit/src/interfaces/IBalanceTracker.sol	20	19	3	14
euler-vault-kit/src/interfaces/ISequenceRegistry.sol	14	13	3	8
euler-vault-kit/src/interfaces/IPermit2.sol	16	15	3	10
euler-vault-kit/src/interfaces/IFlashLoan.sol	13	12	3	7
euler-vault-kit/src/interfaces/IHookTarget.sol	14	13	3	8
euler-vault-kit/src/interfaces/IPriceOracle.sol	32	12	3	19
euler-vault-kit/src/Synths/EulerSavingsRate.sol	267	240	129	72
euler-vault-kit/src/Synths/ERC20Collateral.sol	74	68	27	33
euler-vault-kit/src/Synths/PegStabilityModule.sol	156	156	85	46
euler-vault-kit/src/Synths/ESynth.sol	169	169	91	51
euler-vault-kit/src/Synths/IRMSynth.sol	109	109	74	16
euler-vault-kit/src/EVault/modules/Liquidation.sol	239	217	116	53
euler-vault-kit/src/EVault/modules/Initialize.sol	107	107	62	21
euler-vault-kit/src/EVault/modules/Borrowing.sol	171	171	102	22
euler-vault-kit/src/EVault/modules/RiskManager.sol	127	109	55	26
euler-vault-kit/src/EVault/modules/Vault.sol	275	262	158	39
euler-vault-kit/src/EVault/modules/Governance.sol	406	395	216	100
euler-vault-kit/src/EVault/modules/BalanceForwarder.sol	59	59	33	10
euler-vault-kit/src/EVault/modules/Token.sol	103	103	60	18
euler-vault-kit/src/EVault/DToken.sol	95	95	44	32
euler-vault-kit/src/EVault/Dispatch.sol	175	175	121	46
euler-vault-kit/src/EVault/IEVault.sol	558	54	14	319
euler-vault-kit/src/EVault/EVault.sol	243	243	100	30
euler-vault-kit/src/EVault/shared/LTVUtils.sol	20	20	11	5
euler-vault-kit/src/EVault/shared/BalanceUtils.sol	127	114	69	14
euler-vault-kit/src/EVault/shared/Cache.sol	135	135	80	26
euler-vault-kit/src/EVault/shared/Events.sol	127	127	39	70
euler-vault-kit/src/GenericFactory/BeaconProxy.sol	80	80	50	16
euler-vault-kit/src/EVault/shared/Errors.sol	59	59	52	5
euler-vault-kit/src/GenericFactory/GenericFactory.sol	205	193	88	67
euler-vault-kit/src/GenericFactory/MetaProxyDeployer.sol	29	29	13	10
euler-vault-kit/src/EVault/shared/EVCClient.sol	144	141	96	15
euler-vault-kit/src/InterestRateModels/IIRM.sol	25	17	4	15
euler-vault-kit/src/ProtocolConfig/IProtocolConfig.sol	33	18	3	23
euler-vault-kit/src/ProtocolConfig/ProtocolConfig.sol	218	212	103	61
euler-vault-kit/src/EVault/shared/LiquidityUtils.sol	125	106	63	18
euler-vault-kit/src/EVault/shared/BorrowUtils.sol	192	188	128	19
euler-vault-kit/src/EVault/shared/Constants.sol	64	64	31	23
euler-vault-kit/src/EVault/shared/AssetTransfers.sol	43	43	22	14
euler-vault-kit/src/EVault/shared/Base.sol	152	148	92	31
euler-vault-kit/src/EVault/shared/Storage.sol	21	21	7	9
euler-vault-kit/src/InterestRateModels/IRMLinearKink.sol	74	64	39	13
euler-vault-kit/src/EVault/shared/types/AmountCap.sol	33	33	14	13
euler-vault-kit/src/EVault/shared/types/Snapshot.sol	38	38	19	13
euler-vault-kit/src/EVault/shared/types/LTVConfig.sol	84	80	47	20
euler-vault-kit/src/EVault/shared/types/Owed.sol	83	83	56	8
euler-vault-kit/src/EVault/shared/types/UserStorage.sol	76	76	47	12
euler-vault-kit/src/EVault/shared/types/Shares.sol	70	70	50	6
euler-vault-kit/src/EVault/shared/types/VaultCache.sol	52	52	20	21
euler-vault-kit/src/EVault/shared/types/Assets.sol	91	91	67	6
euler-vault-kit/src/EVault/shared/types/ConfigAmount.sol	39	39	24	7
euler-vault-kit/src/EVault/shared/lib/ConversionHelpers.sol	26	22	12	6
euler-vault-kit/src/EVault/shared/lib/AddressUtils.sol	17	17	8	5
euler-vault-kit/src/EVault/shared/types/VaultStorage.sol	78	78	32	34
euler-vault-kit/src/EVault/shared/lib/RPow.sol	100	100	59	28
euler-vault-kit/src/EVault/shared/types/Flags.sol	25	25	13	7
euler-vault-kit/src/EVault/shared/lib/SafeERC20Lib.sol	53	50	31	10
euler-vault-kit/src/EVault/shared/types/Types.sol	82	82	58	4
euler-vault-kit/src/EVault/shared/lib/RevertBytes.sol	21	21	12	5
euler-vault-kit/src/EVault/shared/lib/ProxyUtils.sol	30	30	18	7
euler-vault-kit/src/SequenceRegistry/SequenceRegistry.sol	32	32	11	14
Totals	6345	5614	3093	1680

• Euler Price Oracle
  • Commit: c4074ab7a7aa0c6ffbc555391d9f0bfe1ee5fd6f
  • Total LOC: 450
  • Files:

File	Lines	nLines	nSLOC	Comments
euler-price-oracle/src/lib/Governable.sol	44	44	22	15
euler-price-oracle/src/lib/ScaleUtils.sol	78	70	31	32
euler-price-oracle/src/lib/Errors.sol	25	25	9	15
euler-price-oracle/src/interfaces/IPriceOracle.sol	30	11	3	18
euler-price-oracle/src/EulerRouter.sol	153	149	64	74
euler-price-oracle/src/adapter/chronicle/IChronicle.sol	16	12	3	10
euler-price-oracle/src/adapter/chronicle/ChronicleOracle.sol	71	71	34	29
euler-price-oracle/src/adapter/chainlink/ChainlinkOracle.sol	74	74	36	30
euler-price-oracle/src/adapter/chainlink/AggregatorV3Interface.sol	23	10	3	13
euler-price-oracle/src/adapter/pyth/PythOracle.sol	139	139	76	51
euler-price-oracle/src/adapter/CrossAdapter.sol	63	63	29	29
euler-price-oracle/src/adapter/redstone/RedstoneCoreOracle.sol	131	131	66	53
euler-price-oracle/src/adapter/lido/IStEth.sol	16	11	3	10
euler-price-oracle/src/adapter/lido/LidoOracle.sol	35	35	16	16
euler-price-oracle/src/adapter/BaseAdapter.sol	40	39	17	17
euler-price-oracle/src/adapter/uniswap/UniswapV3Oracle.sol	78	78	38	34
Totals	1016	962	450	446

• Reward Streams

  • Commit: 4f63aea41dae996b59d0ba453326b6e97f44f680

  • Total LOC: 392

  • Files:

File	Lines	nLines	nSLOC	Comments
reward-streams/src/interfaces/IBalanceTracker.sol	19	18	3	13
reward-streams/src/interfaces/IRewardStreams.sol	45	17	6	10
reward-streams/src/StakingRewardStreams.sol	113	108	63	21
reward-streams/src/BaseRewardStreams.sol	664	617	290	225
reward-streams/src/TrackingRewardStreams.sol	62	58	30	18
Totals	903	818	392	287

Build Instructions

• Ethereum Vault Connector build instructions
• Euler Vault Kit build instructions
• Euler Price Oracle build instructions

Basic Proof Of Concept test

• EVC

• EVK

• Price Oracle

  • Adapter PoCs: use a fork test
    • Chainlink
    • Chronicle
    • Lido
    • Pyth
    • RedStone
    • Uniswap

• Reward Streams

System Roles and Privileges

• Euler DAO: This entity manages the upgrade admin role in GenericFactory (if not revoked), and the admin role in ProtocolConfig. For the purposes of this contest, this role is considered trusted.
• Vault creators/governors: Anyone can create a vault and optionally retain governance control over it. Governors are responsible for securely configuring their own vaults, and for selecting suitable vaults to use as collateral. For this contest, a vault's governor should be considered trusted so far as users of this vault are concerned (including other vault governors who choose to use it as collateral).
• EulerRouter price governors: These users are responsible for maintaining the pricing sources used for an oracle. For this contest they can be trusted to not select malicious oracles.
• Synth owners/minters: These users should be considered trusted in the context of managing the synthetic asset and its distribution.
• Regular users: Any other user is considered untrusted.

Out of Scope issues

Any previous issue marked as acknowledged/will not fix is not in scope to be reported again. If there has been a fix implemented, the fixed code can be treated as in scope.

• Issues described in our documentation: in-code comments, in the README and in the whitepapers.
• Issues found in previous security reviews
• Issues related to deploy scripts or tests
• Third party integrations not functioning as advertised
• Issues related to potentially malicious actions taken by Euler DAO controlled entities are considered out of scope as they are assumed to be trusted
• Issues related to non Euler DAO/untrusted entities or mistakes made by governors/admins/deployers when configuring vaults or price oracles:
  • The issue will be considered out of scope if it involves a user or vault actively opting to use something created or controlled by the untrusted actor
  • The issue will be considered in scope if there is impact on other disconnected vaults/parts of the system that are not associated with the untrusted actor
• Issues related to chain re-orgs and network liveness
• Issues related to non-EVM networks
• Issues related to Arbitrum, Base, and Optimism networks are in scope. While issues specific to deployment on other EVM networks will be considered valid for low vulnerability payouts only
• Incompatibilities with ERC-4626 and ERC-20 unless they pose a direct security risk
• Issues related to non-standard tokens and their behaviors (i.e. weird-tokens)
• Incorrect hardcoded addresses would be considered low, unless there is a direct loss of funds on deployment from using them.
• Protocol must change relevant addresses(if any) prior to deploying across multiple chains. These issues are at best low.
• Automated findings from Lightchaser

EVK-Specific

• Omniscia EVK web report (see above), since we don't have PDF yet
• External contracts chosen by the factory admin are assumed to not be malicious:
  • EVC, ProtocolConfig, SequenceRegistry, BalanceTracker, Permit2
• External contracts chosen by governor are assumed to not be malicious:
  • Underlying tokens, Price Oracles, IRMs, hook targets

Euler Price Oracle-Specific

• We are aware that some Price Oracles are not compatible with all networks. RedstoneCoreOracle and LidoOracle only work on Ethereum. ChronicleOracle does not (yet) work on Base and Optimism.
• Issues related to misconfiguration in the constructors, including but not limited to zero addresses, wrong base/quote tokens and invalid decimals.
• Issues related to a malicious/compromised governor in EulerRouter.
• Issues related to misconfiguration in EulerRouter, including but not limited to resolving ERC4626 vaults with an insecure convertToAssets method.
• Issues related to overflows and other math errors must have a demonstrable impact with a concrete scenario.
• Issues related to reusing an adapter for integrations it was not intended for. For example, using ChainlinkOracle for an AggregatorV3-compatible oracle that is not Chainlink.
• Issues related to censorship / frontrunning users that interact with Pyth and RedStone. We expect users to interact with the EVC or another multicall-like contract to update the price and retrieve it in a single call.
• Issues related to using non-crypto price feeds in oracle adapters, including but not limited to Stocks feeds, ETF feeds, Forex feeds and any other feeds that have working hours.
• Issues stemming from sequencer downtime on L2s, including but not limited to inexistent sequencer liveness checks.
• Issues stemming from liveness and catastrophic bugs or malicious behaviour in the integrated oracles, including but not limited to Chainlink upgrades, Chronicle caller whitelist, RedStone signers rotating, Pyth downtime due to Wormhole. By using an oracle users choose to accept those trust assumptions.

Reward Stream-Specific

• Issues related to an incorrect integration of the tracking reward streams (ie, a non-EVK installation)

Automated findings generated by LightChaserV3

• Euler : Ethereum Vault Connector
  • MD : https://gist.github.com/ChaseTheLight01/3ce13d82c932b72521472ae33cf38755
• Euler : Euler Price Oracle
  • MD : https://gist.github.com/ChaseTheLight01/ca8d4c928b04bb880ed5f15a79fa4e23
• Euler : Euler Vault Kit
  • MD : https://gist.github.com/ChaseTheLight01/4a609494e95d69594a7ab70e19536177
• Euler : Reward Streams
  • MD : https://gist.github.com/ChaseTheLight01/809ccf44883b9e052211fe0da4e6a2fb