Euler DAO Vaults Governance
Introduction
Euler DAO managed vaults use a robust, modular governance framework designed to balance operational flexibility, user protection, and rapid emergency response. This system is built on selector-based access control, dual timelocks, and clearly separated roles for routine, administrative, and emergency actions. The architecture is designed to support optimistic risk management, as described in EIP-62.
Governance Architecture
The core of the system is the GovernorAccessControlEmergency
contract, which acts as the governor for one or more vaults. This contract is deployed via the GovernorAccessControlEmergencyFactory
, which also deploys two OpenZeppelin TimelockController
contracts:
- Admin Timelock Controller: Holds the
DEFAULT_ADMIN_ROLE
on the governor contract. Controls administrative governance (e.g., role management, upgrades). - Wildcard Timelock Controller: Holds the
WILD_CARD
role on the governor contract. Handles day-to-day governance (routine parameter changes).
Figure: Governance and access control flow for DAO-managed vaults.
Key Roles & Responsibilities
Timelock Controllers
-
Admin Timelock
- Holds
DEFAULT_ADMIN_ROLE
on the governor contract - Can grant/revoke roles, manage upgrades, and serve as a security backstop
- Controlled by the DAO multisig
- Minimum delay: 48h
- Holds
-
Wildcard Timelock
- Holds
WILD_CARD
role on the governor contract - Allows adding new and phasing out unwanted collaterals
- Handles routine parameter changes (LTVs, caps, IRMs, etc.)
- Can include external risk partners, i.e. Gauntlet
- Minimum delay: 48h
- Holds
Emergency Guardians
- Addresses (e.g., Euler Labs, Gauntlet, security partners) granted emergency roles directly on the governor contract:
LTV_EMERGENCY_ROLE
: Can lower borrow LTVs immediatelyCAPS_EMERGENCY_ROLE
: Can lower supply/borrow caps immediatelyHOOK_EMERGENCY_ROLE
: Can pause (disable) all vault operations immediately
- Can act without delay to mitigate critical risks
- Emergency actions are rapid, but recovery (e.g., unpausing) requires timelock
Risk Steward
- Specialized
CapRiskSteward
contract allows for non-critical parameter changes (caps, IRMs) - Operates optimistically: changes are not timelocked
- The Risk Steward is a multisig comprised of Gauntlet, Objective Labs, and Euler Labs employees, ensuring that no single party has full control over the
CapRiskSteward
contract
Transparency & User Protection
- All timelock proposals are public and visible before execution
- Users have a window to exit or respond to pending changes
- Emergency actions are limited to risk-reducing operations
- The admin timelock provides a "break glass" mechanism for ultimate control