Euler-Bounty
Bounty Range
$7,500,000 - $7,500,000
external program
/opportunities/leaderboard[/welcome](Discover Cantina)
[/login](Log in)[/signup](Sign up)
@euler Live
https://x.com/eulerfinancehttps://github.com/euler-xyzhttps://www.euler.finance/
Total reward
7,500,000 USDC + rEUL + USUAL
Deposit required
$20
Findings submitted
479
Start date
21 Aug 2024
Please sign in as a researcher to join the bounty.
[/login](Log in)
Euler V2 is a modular lending platform with two main components at launch: 1) the Euler Vault Kit (EVK), which empowers builders to deploy and chain together their own customised lending vaults in a permissionless manner; and 2) the Ethereum Vault Connector (EVC), a powerful, immutable, primitive which give vaults superpowers by allowing their use as collateral for other vaults. Together, the EVK and EVC provide the flexibility to build or recreate any type of pre-existing or future-state lending product inside the Euler ecosystem.
The Euler Vault Kit is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools.
The Ethereum Vault Connector (EVC) is a foundational layer designed to facilitate the core functionality required for a lending market. It serves as a base building block for various protocols, providing a robust and flexible framework for developers to build upon. The EVC primarily mediates between vaults, contracts that implement the ERC-4626 interface and contain additional logic for interfacing with other vaults. The EVC not only provides a common base ecosystem but also reduces complexity in the core lending/borrowing contracts, allowing them to focus on their differentiating factors.
Euler Price Oracle is a library of modular oracle adapters and components that implement IPriceOracle, an opinionated quote-based interface. It supports Chainlink, Chronicle, RedStone Core and Pyth through minimal, immutable adapter contracts. The EulerRouter component is a dispatcher contract that maintains a configuration of resolver oracles with an optional fallback. The router can price ERC4626 shares to assets through convertToAsset, making it a convenient entry point contract for EVK pricing.
Reward Streams is a powerful and flexible implementation of the billion-dollar algorithm, a popular method for proportional reward distribution in the Ethereum developer community. This project extends the algorithm's functionality to support both staking and staking-free (based on balance changes tracking) reward distribution, multiple reward tokens, and permissionless registration of reward distribution schemes (reward streams). This makes Reward Streams a versatile tool for incentivizing token staking and holding in a variety of use cases.
Fee Flow is an efficient, decentralized, and MEV-resistant mechanism designed to convert fee assets to a single token. It operates using a continuous auto-adjusting Dutch auction mechanism, providing a secure and optimized way to handle fee conversions in blockchain applications. This component helps streamline token economics by efficiently managing the flow of transaction fees across various assets.
Euler Earn is an open source protocol for permissionless risk curation on top of ERC4626 vaults (strategies). It functions as an ERC4626 vault itself, allowing risk curators to deploy vaults through its factory. Each vault supports one loan asset and can allocate deposits across multiple strategies. The protocol offers noncustodial, immutable instances that provide users with a streamlined way to supply liquidity and earn passive yield. While initially designed to integrate with the EVK vaults, Euler Earn can work with any ERC4626-compliant vault.
EulerSwap is an automated market maker (AMM) built on top of the Euler Vault Kit (EVK) and Ethereum Vault Connector (EVC). It allows liquidity providers to earn swap fees, lending yield, and borrow against their positions within a single account. Each instance is controlled by a single operator, enabling full flexibility over liquidity strategy and AMM configuration. EulerSwap introduces just-in-time (JIT) liquidity, a mechanism that lets vaults borrow output tokens at the time of swap using the input token and vault collateral. This design enables deep liquidity with minimal capital and supports single-sided, asymmetric, and concentrated liquidity strategies. EulerSwap is compatible with Uniswap v4 hooks and offers a composable foundation for capital-efficient trading.
To qualify for a reward under this program, you must:
This bug bounty focuses on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the verifiedArray() function of the following default perspectives:
For the most up-to-date deployment addresses across various networks, please refer to the [https://docs.euler.finance/developers/contract-addresses/](Euler Docs Contract Addresses). This website serves as the central source of truth for all network-specific addresses.
For Ethereum Mainnet, the addresses are detailed in the Ethereum Mainnet Tab [https://docs.euler.finance/developers/contract-addresses/](Euler Docs Contract Addresses). Key addresses include:
Only the contracts in the master/main branch of the following repositories that the above DEPLOYED vaults directly rely on are in scope:
Severity level | Impact: High | Impact: Medium | Impact: Low | Likelihood:high | High | High | Medium | Likelihood:medium | High | Medium | - | Likelihood:low | Medium | - | - |
High: These can drastically affect many users and result in major reputational, legal, or financial damage. Examples include the ability to permanently lock contracts or withdraw funds from all users. These could also mean broken core functionality.
Medium: These may result in loss of funds for users but under certain conditions and are not easy to perform. Also the reward to cost ratio is not large enough but still need to be fixed. Breaking of functionality or resulting in a DOS of funds for users
High
Remote code execution
Unauthorized access to sensitive user data
Ability to perform actions as a privileged user
SQL injection
Cross-Site Scripting (XSS) with significant impact
Authentication bypass Medium
Cross-Site Request Forgery (CSRF)
Server-side request forgery
Sensitive information disclosure
These rewards apply to vulnerabilities found in the core components of Euler V2 (https://github.com/euler-xyz/ethereum-vault-connector, https://github.com/euler-xyz/euler-vault-kit, https://github.com/euler-xyz/euler-price-oracle). The bug bounty focuses specifically on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the verifiedArray() function of the perspective contracts (Escrowed Collateral, Ungoverned 0x, Ungoverned nzx, and Governed).
Severity Level | Reward | High | $5,000,000.00 | Medium | $200,000.00 |
High: Up to $5,000,000.00 USD, minimum payout $200,000.00 USD
First $2,500,000.00 paid in USDC
Next $2,500,000.00 paid in rEUL
Medium: Up to $200,000.00 USD, minimum payout $50,000.00 USD Notes:
Rewards are calculated as 10% of their economic impact.
The team may adjust the program after a high-severity payout to ensure sustainability.
rEUL token is valued using a retrospective 30-day volume-weighted average price (TWAP) of EUL on CoinMarketCap from the date of the disclosure. Examples:
A $1,250,000.00 reward would be paid entirely in USDC.
A $3,500,000.00 reward would be paid as $2,500,000.00 in USDC and $1,000,000.00 in rEUL
If a vulnerability qualifies for the Euler Core Components Rewards and also affects the Usual Stability Loan (USL) vaults, Usual have generously offered to increase the reward by an additional $2.5 million in USUAL tokens. This brings the total potential reward to $7.5 million.
The USL vaults on Ethereum Mainnet:
Severity Level | Reward | High | $7,500,000.00 | Medium | $200,000.00 |
High: Up to $7,500,000.00 USD, minimum payout $200,000.00 USD
First $2,500,000.00 paid in USDC
Next $2,500,000.00 paid in rEUL
Next $2,500,000.00 paid in USUAL
Medium: Up to $200,000.00 USD, minimum payout $50,000.00 USD Notes:
Rewards are calculated as 10% of their economic impact.
The team may adjust the program after a high-severity payout to ensure sustainability.
Any rEUL or USUAL tokens will be priced using their respective retrospective 30-day volume-weighted TWAPs on CoinMarketCap from the date of the disclosure. Examples:
A $1,250,000.00 reward would be paid entirely in USDC.
A $3,500,000.00 reward would be paid as $2,500,000.00 in USDC and $1,000,000.00 in rEUL
A $5,500,000.00 reward would be paid as $2,500,000.00 in USDC and $2,500,000.00 in rEUL and $500,000.00 in USUAL
These rewards apply to vulnerabilities found in [https://github.com/euler-xyz/fee-flow](Fee Flow) and [https://github.com/euler-xyz/reward-streams](Reward Streams) officially deployed by Euler.
Severity Level | Reward | High | $100,000.00 | Medium | $25,000.00 |
High: Up to $100,000.00 USD, minimum payout $25,000.00 USD
Medium: Up to $25,000.00 USD, minimum payout $5,000.00 USD Notes:
Rewards are calculated as 10% of their economic impact.
The team may adjust the program after a high-severity payout to ensure sustainability.
These rewards apply specifically to vulnerabilities found in the Euler Earn protocol. The bug bounty focuses specifically on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the verifiedArray() function of the Euler Earn Governed Perspective.
Severity Level | Reward | High | $500,000.00 | Medium | $100,000.00 |
High: Up to $500,000.00 USD, minimum payout $100,000.00 USD
Medium: Up to $100,000.00 USD, minimum payout $25,000.00 USD Notes:
Rewards are calculated as 10% of their economic impact.
The team may adjust the program after a high-severity payout to ensure sustainability.
These rewards apply specifically to vulnerabilities found in the [https://github.com/euler-xyz/euler-swap](Euler Swap) protocol. The bug bounty focuses specifically on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the pools() function of the Euler Swap Factory.
Severity Level | Reward | High | $250,000.00 | Medium | $50,000.00 |
High: Up to $250,000.00 USD, minimum payout $50,000.00 USD
Medium: Up to $50,000.00 USD, minimum payout $10,000.00 USD Notes:
Rewards are calculated as 10% of their economic impact.
The team may adjust the program after a high-severity payout to ensure sustainability.
Severity Level | Reward | Critical | $25,000.00 | High | $5,000.00 | Medium | $1,000.00 |
Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.
Issues described in our documentation: in-code comments, in the README and in the whitepapers.
Issues found in previous [https://docs.euler.finance/security/audits](security reviews)
Issues found in development branches
Issues related to deploy scripts or tests
Third party integrations not functioning as advertised
Issues related to potentially malicious actions taken by Euler DAO controlled entities are considered out of scope as they are assumed to be trusted
Issues related to mistakes made by governors/deployers when configuring vaults or price oracles:
The issue will be considered out of scope if it involves a user or vault actively opting to use something created or controlled by the untrusted actor
Issues related to chain re-orgs and network liveness
Incompatibilities with ERC-4626 and ERC-20 unless they pose a direct security risk
Issues related to non-standard tokens and their behaviors (i.e. https://github.com/d-xo/weird-erc20)
Incorrect hardcoded addresses would be considered low, unless there is a direct loss of funds on deployment from using them.
The following activities and vulnerability types are considered out of scope for this bug bounty program and strictly forbidden:
Physical attacks against our employees, offices, or data centers Social engineering attacks against our employees or users Vulnerabilities in applications or systems not owned by us Vulnerabilities requiring physical access to a user's device Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)
Live testing on public chains, including public mainnet deployments and public testnet deployments.
We recommend testing on local forks, for example using foundry.
Public disclosure of bugs without the consent of the protocol team.
Conflict of Interest: any employee or contractor working with or who has ever worked with the Project Entity cannot participate in the Bug Bounty.
With the exception that former external contractors, specifically Security Auditors/Researchers, are eligible for findings on Core Components(EVK, EVC, and EPO). Current employees, former employees, and contractors with active engagements remain excluded. Euler reserves the right to determine if there is a conflict of interest on a case-by-case basis.
To ensure safe and responsible testing: