Permissionless-pool lending oracle
Euler V2's assessment for RD-F-181 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
EVK is a fully permissionless vault creation system — GenericFactory allows anyone to create vaults. Vault creators can configure UniswapV3Oracle with any Uniswap V3 pool and a 5-minute minimum TWAP window. No protocol-level liquidity floor, token-age minimum, or TWAP minimum requirement is enforced at vault creation time. The Perspectives system (Euler Ungoverned 0x Perspective, Euler Ungoverned nzx Perspective) filters which vaults appear in the official UI but does not prevent vault creation or restrict oracle choice. Rhea Finance pattern (fake pool seeding + spot oracle manipulation → fake token borrowing) is structurally feasible on permissionless Euler vaults. Yellow (not red) because: (a) Perspectives filter provides UI-level protection for sanctioned vaults; (b) permissionless vault risks are user-accepted; (c) no actual exploit of this class confirmed on Euler V2.
Sources #
- InternalEuler V2 Profile — Perspectives SystemPerspectives system — Euler Ungoverned Perspectives in profile §3retrieved 2026-05-04
- UniswapV3Oracle TWAP MinimumUniswapV3Oracle.sol MIN_TWAP_WINDOW = 5 minutes — no protocol-level floor above 5 minretrieved 2026-05-04
- EVK GenericFactory — Permissionless Vault CreationGenericFactory.sol — permissionless createProxy; EVK whitepaper 'anyone can create proxies'retrieved 2026-05-04
Methodology #
Determine whether the lending protocol accepts spot prices from a DEX where any user can permissionlessly create new pools, without requiring a TWAP window, liquidity floor, or token-age minimum on the venue side.
See the full factor methodology and distribution across all protocols →