Skip to main content

Euler DAO Vaults Governance

Introduction

Euler DAO managed vaults use a robust, modular governance framework designed to balance operational flexibility, user protection, and rapid emergency response. This system is built on selector-based access control, dual timelocks, and clearly separated roles for routine, administrative, and emergency actions. The architecture is designed to support optimistic risk management, as described in EIP-62.

Governance Architecture

The core of the system is the GovernorAccessControlEmergency contract, which acts as the governor for one or more vaults. This contract is deployed via the GovernorAccessControlEmergencyFactory, which also deploys two OpenZeppelin TimelockController contracts:

  • Admin Timelock Controller: Holds the DEFAULT_ADMIN_ROLE on the governor contract. Controls administrative governance (e.g., role management, upgrades).
  • Wildcard Timelock Controller: Holds the WILD_CARD role on the governor contract. Handles day-to-day governance (routine parameter changes).

Governance Architecture Diagram

Figure: Governance and access control flow for DAO-managed vaults.

Key Roles & Responsibilities

Timelock Controllers

  • Admin Timelock

    • Holds DEFAULT_ADMIN_ROLE on the governor contract
    • Can grant/revoke roles, manage upgrades, and serve as a security backstop
    • Controlled by the DAO multisig
    • Minimum delay: 48h

  • Wildcard Timelock

    • Holds WILD_CARD role on the governor contract
    • Allows adding new and phasing out unwanted collaterals
    • Handles routine parameter changes (LTVs, caps, IRMs, etc.)
    • Can include external risk partners, i.e. Gauntlet
    • Minimum delay: 48h

Emergency Guardians

  • Addresses (e.g., Euler Labs, Gauntlet, security partners) granted emergency roles directly on the governor contract:
    • LTV_EMERGENCY_ROLE: Can lower borrow LTVs immediately
    • CAPS_EMERGENCY_ROLE: Can lower supply/borrow caps immediately
    • HOOK_EMERGENCY_ROLE: Can pause (disable) all vault operations immediately
  • Can act without delay to mitigate critical risks
  • Emergency actions are rapid, but recovery (e.g., unpausing) requires timelock

Risk Steward

  • Specialized CapRiskSteward contract allows for non-critical parameter changes (caps, IRMs)
  • Operates optimistically: changes are not timelocked
  • The Risk Steward is a multisig comprised of Gauntlet, Objective Labs, and Euler Labs employees, ensuring that no single party has full control over the CapRiskSteward contract

Transparency & User Protection

  • All timelock proposals are public and visible before execution
  • Users have a window to exit or respond to pending changes
  • Emergency actions are limited to risk-reducing operations
  • The admin timelock provides a "break glass" mechanism for ultimate control