Euler Finance Integration
Comprehensive guide to securing Euler Finance vaults with Matador.
Euler Finance offers modular lending vaults where permission management is crucial for protecting capital efficiency and preventing unauthorized withdrawals. This guide details how to implement robust security policies for Euler integrations.
Security Architecture
graph TD
User[Lending Bot] -->|Deposit/Withdraw| Safe[Smart Account]
Safe -->|Check Policy| Matador[Matador Interpreter]
Matador -->|Verify Calldata| Check{Policy Rules}
Check -- Pass --> Vault[Euler Vault]
Check -- Fail --> Revert[Revert Transaction]Permission Patterns
1. Secure Deposits
When automating deposits, the critical invariant is ensuring the shares are minted to the smart account, not an attacker.
import "abis/EulerVault.json" as Euler;
permission SafeEulerDeposit -> 1.0.0 {
parameters: {
vault: address
}
when: {
all {
// 1. Verify Target Vault
context.target == parameters.vault,
// 2. Verify Function Selector
Euler.deposit,
// 3. Verify Receiver (Shares minted to self)
context.args.receiver == context.account
}
}
}2. Operational Limits (Capped Exposure)
Prevent a bot from deploying too much capital into a single vault, limiting exposure to protocol risks.
import "abis/EulerVault.json" as Euler;
permission CappedDeposit -> 1.0.0 {
parameters: {
vault: address,
maxDepositAmount: uint256
}
when: {
all {
context.target == parameters.vault,
Euler.deposit,
context.args.amount <= parameters.maxDepositAmount
}
}
}3. Flash Loan Protection (Self-Originated)
Euler vaults support flash loans. You may want to allow flash loans ONLY if the borrower is your own account (e.g., for liquidation or rebalancing strategies), preventing external actors from using your credit.
import "abis/EulerVault.json" as Euler;
permission SafeFlashLoan -> 1.0.0 {
when: {
all {
Euler.flashLoan,
// Ensure the transaction origin is the account owner (EOA)
// This prevents complex composed attacks
context.origin == context.caller
}
}
}Integration Tutorial
Setup Project
Install the CLI and download the Euler Vault ABI.
npm install -D matador-policy-cli
mkdir abis
# Download Euler Vault ABI to ./abis/EulerVault.jsonWrite the Policy
Create policies/euler-guard.matador.
import "abis/EulerVault.json" as Euler;
permission EulerGuard -> 1.0.0 {
parameters: {
vault: address
}
when: {
all {
context.target == parameters.vault,
// Allow deposit only to self
any {
all {
Euler.deposit,
context.args.receiver == context.account
},
// Allow withdraw only to self
all {
Euler.withdraw,
context.args.receiver == context.account
}
}
}
}
}Compile & Deploy
Compile the policy and provision it to your smart account.
npx matador-policy-cli compile policies/euler-guard.matadorGas Optimization
- Selector First: Always check
Euler.depositorEuler.withdrawbefore checking arguments. This fails fast if the function is wrong. - Batching: If you are performing multiple operations (e.g.
approve+deposit), consider wrapping them in a MultiCall and using a policy that inspects the MultiCall data (advanced).
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
PermissionViolation | receiver mismatch. | Ensure your bot sends receiver as the smart account address, not msg.sender (which might be the bot EOA). |
Invalid Target | Wrong vault address. | Euler has many vaults (one per asset). Ensure the policy parameter matches the specific vault you are interacting with. |