Author
Euler Labs
Date
2025-01-16
Summary
Here we propose to create a risk steward role for Euler DAO-governed vaults that is granted permissions to change vault risk parameters in an optimistic manner. The role would be granted to Gauntlet in the coming weeks. Under this model, all proposals to change risk parameters would need to be published by Gauntlet on the governance forum and would then immediately be moved to a timelock smart contract for execution in an optimistic manner. The timelock would feature an additional Canceller role, held by Euler Labs, to enable rejected or otherwise improperly formatted proposals to be cancelled. To further enhance security, we also propose to add new governance roles that would enable limited rapid response functionality, managed by both Gauntlet and Euler Labs. These roles would have the ability to act in a time sensitive manner to lower the borrow LTV of selected collaterals on a vault, lower the supply and borrow caps of a vault, and, in extreme cases, disable all operations on a vault.
Motivation
Euler is agnostic about whether lenders/borrowers should use governed vaults or not. Governed vaults enable risk managers to tune a vault’s risk parameters to prevailing economic conditions, helping manage risk for users. Ungoverned vaults enable users to manage their own risk without concern for third-party risk. When it comes to risk-management of governed vaults, risk management is almost certainly better carried out by risk management experts than through direct community governance.
To best carry out their role, it is important that risk managers can move relatively quickly without unnecessary bureaucracy slowing down proposals. Nevertheless, risk managers should also not have unchecked power, otherwise they themselves become a critical single point of failure for risk. It is also important for there to be capacity for limited rapid response risk management in the event of time sensitive matters.
This proposal aims to strike a balance between these different concerns by establishing a new way to help manage risk on Euler DAO-governed vaults via timelocked risk stewards and limited rapid response.
Timelocked risk stewards
The idea for timelocked risk stewards builds on a similar model of risk-management used within the Aave ecosystem. The proposal is to establish a Risk Steward role for governed vaults that is granted permissions to change vault risk parameters in an optimistic manner. Euler Labs recently recruited Gauntlet to assist with risk management of the protocol and recommends that they are promoted to become the primary risk steward on Euler DAO-governed vaults.
Optimistic risk management via timelocks enables risk stewards to move quickly to contain risk without placing a heavy governance burden on users to vote on each new proposal or exposing users to risks that they cannot prepare for. Optimistic governance of this form is appropriate for risk because there is substantial evidence that, in practice, most risk management proposals pass without any objection (see history of voting on Aave and Compound, for example). It is therefore more efficient to ask people to voice their opposition to the small subset of proposals that are expected to be rejected than to voice their support for the majority of risk management proposals that are expected to pass.
Whilst optimistic risk management has many benefits, it also has downsides. In particular, it has the potential to give risk managers unchecked power. It is therefore important to develop a system that constrains the power of risk managers. Timelock smart contracts are useful in this regard. They enable risk stewards to push proposals optimistically, whilst still giving stakeholders the opportunity to view the impact of a proposal and vote with their feet (remove their assets) or voice their support for cancelling a proposal. A separate entity or smart contract holding the Canceller role can be used to prevent optimistic proposals from passing. Initially we recommend that the canceller role is held by both the Euler DAO multisig and an Euler Labs operations multisig.
Limited rapid response
To help manage risk in time sensitive scenarios, we propose installing an GovernorAccessControlEmergency contract on all Euler DAO-governed vaults. This smart contract is a lightweight and flexible governor contract that provides selective permissioning in order for whitelisted callers to be allowed to invoke specific functions on target contracts, bypassing traditional timelock and admin requirements.
Entities with the LTV_EMERGENCY_ROLE role can lower the borrow LTV of any collateral accepted by the vault. This functionality might be important in contexts in which there are time-sensitive reasons to prevent certain assets being used as collateral for new loans without compromising the health of existing positions. Note that the borrow LTV is active for loan origination, but it is the liquidation LTV that determines the health of positions.
Entities with the CAPS_EMERGENCY_ROLE role can lower the supply and borrow caps of a vault. This functionality might be important in contexts in which there are time-sensitive reasons to prevent new deposits of assets or prevent additional loans being taken out of a particular asset.
Entities with the HOOK_EMERGENCY_ROLE role can disable all operations of a vault. This is the most powerful rapid response role and can be used to effectively pause a vault. This functionality might be important in contexts in which a vault is no longer functioning and poses a critical threat to a particular market.
These roles aim to enable Euler DAO-appointed entities to quickly respond to time-sensitive situations in Euler DAO-governed markets without compromising the overall access control structure of the governor. Entities with these roles have limited governance, because they can only ever disable existing functionality, rather than enable new functionality. Entities with these roles would be expected to act only in time-sensitive scenarios.
Specification
Timelocked risk steward access controls
Here we propose to use the OpenZeppelin TimelockController contract that will be granted the DEFAULT_ADMIN_ROLE and WILD_CARD on the GovernorAccessControlEmergency contract (read below). The timelock configuration will be as follows:
-
Minimum delay:
- 48h
-
PROPOSER_ROLE:
- Gauntlet multisig
- Euler DAO multisig
-
CANCELLER_ROLE:
- Gauntlet multisig
- Euler DAO multisig
- Euler Labs multisig
-
EXECUTOR_ROLE:
- open (anyone can execute the scheduled transaction after sufficient delay)
Rapid response access controls
Here we propose to use the GovernorAccessControlEmergency limited governor contract as a default governor on all the Euler DAO managed markets. This would be actioned across all networks Euler is deployed to where the Euler DAO governs its own vaults. Specifically, the plan is to:
- Replace the Euler DAO multisig with GovernorAccessControlEmergency instance on all the vaults and oracle routers managed by Euler DAO.
- Grant the DEFAULT_ADMIN_ROLE and WILD_CARD to the TimelockController contract in order for the Risk Steward to retain full governance control of the markets.
- Set the minimum delay for rapid response actions to 0 minutes (no delay).
- Grant the LTV_EMERGENCY_ROLE, HOOK_EMERGENCY_ROLE and CAPS_EMERGENCY_ROLE to the Risk Steward and Euler Labs operations multisig, allowing these entities to perform the following limited rapid response operations:
- lower the borrow LTV of selected collaterals on the vault
- disable all operations of the vault
- lower the supply and borrow caps of the vault.
Note that the GovernorAccessControlEmergency limited governor contract has been audited by yAudit. See here.
Voting
Given Euler’s recent move to an optimistic governance framework, no formal on or off-chain voting is currently required for this proposal to pass. However, we encourage the Euler DAO and community members to provide feedback, share suggestions, and voice their opinions on this initiative. Community input will, as always, be crucial to ensuring that Euler remains relevant, competitive, and risk-managed.
Implementation
Unless any concerns are raised or the DAO would like more time for consideration of this proposal, the Prime market will be actioned by the Euler Foundation in 2 days’ time.
Disclosures, disclaimers and copyright
The author of this proposal, Euler Labs, is contracted to provide software development services by Euler DAO. Copyright is waived via CC0.