eIP EulerSwap Live CTF Competition
Author(s): Euler Labs
Submission Date: 28 May 2025
Abstract
This proposal requests approval to deploy a 250,000 USDC + 250,000 USDT EulerSwap vault using Euler DAO treasury funds in order to host a “Capture The Flag” (CTF) live security competition ahead of the public release of EulerSwap.
The funds will be placed in vaults accessible via a live EulerSwap instance, and may either be awarded to successful researchers or retained as liquidity in EulerSwap if no critical vulnerabilities are found. A portion of these funds will also be used to conduct testing in the period leading up to the competition to ensure everything is correctly configured and tested.
Motivation
Enhanced Security and Reliability — The cornerstone of this proposal is a rigorous “Capture The Flag” security competition, organised in partnership with a respected security provider. This competition will serve multiple critical purposes:
Final Stress Test: By deploying 500,000 USD in stablecoins from the Euler DAO treasury into a live EulerSwap vault, we create a realistic, high-stakes environment that closely mimics mainnet conditions. This setup is designed to attract top-tier security researchers and ethical hackers, ensuring a thorough, adversarial examination of EulerSwap’s architecture.
Vulnerability Discovery: EulerSwap introduces novel mechanisms such as just-in-time liquidity borrowing, operator-managed collateral accounts, dynamic AMM curves, and vault-integrated swaps. The live competition format encourages creative and diverse attack approaches that go beyond traditional audit methodologies—maximising the chance of uncovering subtle or emergent vulnerabilities.
Pre-Launch Assurance: Running this intensive security assessment immediately before the public release of EulerSwap provides the final opportunity to validate protocol robustness. Any critical issues discovered can be patched prior to launch, reducing the risk of post-deployment exploits and increasing user confidence in the system’s safety.
Why a Live Vault?
By seeding a real EulerSwap vault with a significant amount of stablecoins, we create a high-stakes environment that mirrors production conditions. This approach is designed to:
-
Incentivize top security talent to participate
-
Uncover edge-case vulnerabilities beyond static audits
-
Validate the safety of just-in-time borrowing, operator permissions, custom AMM curves, and vault health logic under attack
Testing the Core Innovations of EulerSwap
The CTF specifically targets features introduced in EulerSwap:
-
JIT liquidity borrowing mechanics (e.g., borrowing USDT against USDC)
-
Operator smart contracts managing LP accounts and debt
-
Dynamic hedging and virtual reserves
-
Custom AMM curves with concentration parameters
-
Integration with lending vaults and exposure to liquidation risk
Strategic Dual Use of DAO Funds
These funds are not spent, they are deployed with a clear outcome-based allocation:
-
If exploited: The attacker is awarded the vault balance as a security bounty. This validates the incentive model and secures the protocol before public use.
-
If not exploited: The funds remain in place and become one of the first live liquidity hubs in EulerSwap. The ownership will then be transferred to the Euler DAO for administration. This demonstrates confidence and supports immediate usage and growth.
Additionally, a portion of the funds may be used to support preparatory activities such as vault configuration tests, deployment, and monitoring tooling in advance of the official competition window.
This structure ensures that whether vulnerabilities are found or not, the DAO’s capital contributes to protocol resilience and adoption.
Specification
Transfer 250,000 USDC and 250,000 USDT from the Euler DAO treasury to a designated multisig controlled by the Euler Labs. These assets will be deployed into a live EulerSwap vault instance managed via an EVC operator contract. This contract will be configured to expose all key protocol mechanics to public attack surfaces.
Some portion of the funds may be used during the lead-up period to perform live tests, the deployment configuration, and monitoring logic. These tests will help ensure a successful and clean execution of the main competition
The competition will be run in collaboration with external security partners, with a defined competition window and rules of engagement. Upon completion, Euler Labs will assess and document all findings and coordinate post-CTF actions, including patching and redeploying if needed. Finally, the ownership of the designated multisig will be transferred to the Euler DAO once the competition is completed.
Risks and Considerations
-
Smart Contract Risk: While the codebase has undergone auditing and internal review, this live competition acknowledges the possibility of unknown bugs in the JIT mechanism, operator delegation, or curve logic.
-
Treasury Exposure: A total of $500,000 will be exposed in a public vault. This is considered acceptable given the upside of stress testing the system and the option to retain the funds if no successful exploit is found.
-
Liquidation Risk: Operator-controlled borrowing within EulerSwap is subject to volatility and debt ratio drift. This risk is part of the test design.
Next Steps
If this proposal passes, Euler DAO will coordinate with Euler Labs to transfer the funds to the Euler Labs controlled multisig with intention to deploy them in alignment with the specifications outlined in this proposal. Pre-competition testing will begin shortly after funding is approved to ensure a stable environment for the competition.