★ Immutable oracle address
Euler V2's assessment for RD-F-180 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL-CANDIDATE, PD-017] EVK whitepaper explicitly states: 'Each vault has the address of a price oracle installed. This address is immutable and cannot be changed, even by the vault governor.' ChainlinkOracle.sol confirms: 'address public immutable feed;'. UniswapV3Oracle.sol: 'address public immutable pool;'. All adapter parameters (feed address, pool address, maxStaleness, twapWindow) are immutable state variables. The recommended mitigation is EulerRouter — a governable wrapper that can redirect pricing queries without changing the vault's immutable oracle address. However: (1) Not all vaults are required to use EulerRouter; (2) Permissionless vaults with direct adapters have no oracle replacement path; (3) The fraction of TVL-bearing vaults using EulerRouter vs. direct adapters is not confirmed. Yellow (not red) because EulerRouter mitigation exists and is promoted by official documentation; red would require evidence that high-TVL official vaults forgo EulerRouter. FLAG: PD
Sources #
- GitHubChainlinkOracle — Immutable Feed AddressChainlinkOracle.sol: address public immutable feedretrieved 2026-05-04
- EVK Whitepaper — Oracle ImmutabilityEVK whitepaper: 'oracle address is immutable and cannot be changed, even by the vault governor'retrieved 2026-05-04
- EulerRouter — Admin-Replaceable Oracle WrapperEulerRouter.sol govSetConfig/govSetFallbackOracle — EulerRouter mitigationretrieved 2026-05-04
- EVault Governance — Oracle View OnlyGovernance.sol oracle() view only — no setOracle function confirmedretrieved 2026-05-04
Methodology #
Determine whether any collateral oracle address is marked `immutable` in protocol config with no admin-replaceable adapter wrapper, preventing the protocol from repricing when the upstream asset depegs.
See the full factor methodology and distribution across all protocols →