Treehouse Smart Contracts: Program Info

Treehouse is a decentralized application that introduces Treehouse Assets (tAssets) and Decentralized Offered Rates (DOR), new primitives that enable fixed income products in digital assets.

Scope

In Scope

Target	Type	Severity	Reward
https://etherscan.io/address/0xD11c452fc99cF405034ee446803b6F6c1F6d5ED8 tETH token - proxy address	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xD1A622566F277AA76c3C47A30469432AAec95E38 tAsset Implemenation tETH token - implemantation address	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x1B6238E95bBCABEE58997c99BaDD4154ad68BA92 IAU_wstETH Internal Accounting contract to manage deposited wstETH amount into Vault and record generated wstETH yield from Strategy	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xeFA3fa8e85D2b3CfdB250CdeA156c2c6C90628F5 tETH_router Interaction contract for depositing ETH/ WETH/ wstETH/ stETH	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x551d155760ae96050439AD24Ae98A96c765d761B tETH_Vault Store all converted/deposited wstETH from depositors. Funds in this vault afterward will be used for deploying investment strategy and ready for user withdrawals	Web	Critical	Bounty
https://etherscan.io/address/0xcd63a29FAfF07130d3Af89bB4f40778938AaBB85 TreehouseRedemptionV2 Interaction contract for redeeming wstETH with 7 waiting days period	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x829525417Cd78CBa0f99A8736426fC299506C0d6 TreehouseFastlane Interaction contract for redeeming wstETH instantly	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x434B68B11bBE8FD3074089397cA3d275801d6354 TreehouseFastlaneFee Manage Instant redemption % fee	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xdF2eE409BEe416A53b5C040d8e6dAD4a7cEb2510 RedemptionController Manages Redemption contract addresses, and make the final redeem request to Vault to transfer wstETH to redeemers	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x8113f001ea456759264317007220cbc939ca8435 tETH Lock Release Token Pool Support tETH bridging transactions from mainnet to arbitrum. For every bridge transaction of tETH to arbitrum chain, an equivalent amount of tETH will be locked in this contract and vice versa	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x5E4ACCa7a9989007cD74aE4ed1b096c000779DCC Simple Staking ERC20 Interaction contract for staking allowed LP tokens	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xCf1787F70533b4cFb5B2f727d8D024107518943a Curve.fi tETHwstETH Gauge Liquidity farm pool for Curve tETH LP token	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xFe964d3E779752C7598985436A8598F13f22F6F4 Curve.fi tETHweETH Gauge Liquidity farm pool for Curve tETH LP token	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x97c03F52244E60BB18511Cbf03f890D5886f1F47 StrategyStorage Store strategies information (id, address, action id, asset). Manage active strategy addresses, and strategy executor address	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x89f57D3617F6a9FF877fEa34Dd0688b2840Ef50e Strategy Executor Entry point for executing actions on strategy contracts. Manage active executor address	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xb1593193Bcd7CEcc3d19597658003d735D1e9E94 ActionExecutor Implementation contract of Strategy Address contract, used to execute a list of action contracts in sequence	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x60d2D94aCB969CA54e781007eE89F04c1A2e5943 Strategy0 - Aave Core Strategy contract to execute pre-defined logic on Aave V3 core market	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x5aE0e44DE96885702bD99A6914751C952d284938 Strategy1 - Spark Strategy contract to execute pre-defined logic on Spark market	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xB27D688Ac06a441c005657971B11521e80CdcE98 Strategy2 - Aave Prime Strategy contract to execute pre-defined logic on Aave V3 Prime market	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xbfdF0aF6Df48E645Bd076802B95DDEf0b1E02a9d Strategy3 - Gearbox Strategy contract to execute pre-defined logic on Gearbox wstETH pool	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x150d67ad07700918FC77d7fD2e78967693718Ece GearboxRedeem Action to withdraw wstETH from Gearbox wstETH pool	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x8793164ae37E5fAE2cdf7620F4D4DC615bC22f31 GearboxDeposit Action to supply wstETH to Gearbox wstETH pool	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x94aF5994EB6841e1D930C95AD0C9F89771c3073F ActionRegistry Manage action contract addresses and Id	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xbdFb29cCD82dB3ccf462F3CB600892b2E6f185C7 LidoStake Action to stake ETH and WETH to Lido	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xb8cD2bA2A0Ada353aE15398618Fafb1d7BD558C5 LidoUnwrap Action to unwrap wstETH to stETH	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x99eAe56224EA5Bcb2c886D0a07154217b7A1E5d1 LidoWithdrawClaim Action to withdraw from Lido	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x3e34E0694204e462Deaf8EBbeEE2bE9F887f3C3b LidoWithdrawStart Action to withdraw from Lido	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x160F1f3a512Fa7cCefA0eb08f881282c05d6eb0f LidoWrap Action to wrap stETH to wstETH	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x313Ca6136521D22A7Ea763B3566Ed0B53F5B3AB9 VaultPull Action to withdraw wstETH from Strategy contract back to Vault contract	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xc780112305ED959CEEeb0DE692E2407E4145Fc3A VaultSend Action to transfer wstETH from Vault to Strategy contract	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x03a993369b5b6290D412b63d29f3bC2dC13f5e61 ProtocolPoolController Manage protocol and pool information, such as protocol name, pool address, and data provider address	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xEE1F8dc0135EE9dC2e00fac3817b9C530d34B6ba aaveV3Borrow Action to borrow WETH from Aave V3	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x3503152722beeE269E9B4E0921F2c3D44C90d2b5 aaveV3Supply Action to supply wstETH to Aave V3	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x71f4d0A74b7F1BB07cc767dC2f4b436E907476DC aaveV3Payback Action to repay Aave v3 debt	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x819Bdb303e224CaC4aC14Da17a1ec13895869b65 aaveV3SetEMode Action to set the loan to E-mode	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x0039d822156FF2FD28ac6e19A518660890fcD2E0 aaveV3Withdraw Action to withdraw wstETH from Aave V3	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x351dd4581d61BCE7101FDf5f6864D510021c7CaB aaveV3HealthFactorCheck Action to query Health Factor for the debt in Aave V3	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x5a2FA3b7e027D6bf307B166311763972eAd1747E aaveV3ClaimRewards Action to claim rewards from Aave V3	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x47F04d3F7361371AEA6F53CF0f44976904Aa49Fe sparkBorrow Action to borrow WETH from Spark	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xaC3388367E427DC2B29F5167A5009851AC26b32F sparkSupply Action to supply wstETH to Spark	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xB55db668F209AB707c90Aa949182B6071f00330b sparkPayback Action to repay Aave v3 debt	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x24f034051cA0A24de9a5192B91f61C3edBc6d093 sparkSetEMode Action to set the loan to E-mode	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x0fd6AFFaedd3e883170B17B41b925D3216fB3960 sparkWithdraw Action to withdraw wstETH from Spark	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xa0773fB76Cfd4cF6747C455de79c3dE94F853744 sparkHealthFactorCheck Action to query Health Factor for the debt in Spark	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xbE3600b2a1E9ad19075A96cEF413b844D81Aa3cC sparkClaimRewards Action to claim rewards from Spark	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xb7Ce3cb5Bc5c00cd2f9B39d9b0580f5355535709 TreehouseAccounting Treehoouse Accounting contract	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x86b238787f24EEcF24500135BC9D4D117062b6E6 NavHelper Contract to calculate Treehouse NAV	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xe2d60463dE3a0221276D737b87C605e0BB5451E9 NavRegistry	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xfdA0B8bcA5d0A5A5093141D8a45D133A9f09B258 NavLens	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xf754727f48b286A1f4A0507566167Fdfe6fEb8dd NavAaveV3	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xa0a105E10801B52Bf89a042bDB40c7389E57aF36 NavErc20	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x4c82F6829797A4174a082CE9FEE0B9BDDc1E5E39 NavUnStEth	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xFF62aD6200a54ffF9288c997f8ca2d480A0C48bC NavErc20WithDebt To fix price discrepancy with spark oracle	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xDD317b85f7Bd56361e2e3216610803e433aCaEa7 PnlAccounting V2 Contract to calculate and realize Treehouse's Profit and Loss	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xA14A1A1646980c2B78Eddd51B66EC220AEfE6109 WstETHRateProvider Provides wstETH/stETH, and wstETH/ETH rate	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x7c0eDbbB862b27C04689202ef6B3B2fd6B8852c0 stethEthOracle Provides stETH/ETH rate	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xd7f100067952f0ebCF70461Bc09aa1cA973E79de usdEthOracle Provides ETH/ USD rate	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xD0B6c01e9A8d21Ed05726f9020B577a614BeDCe7 Rate Provider Registry Provides ETH/USD, wstETH/ETH, and stETH/ETH rate	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x077C2122e96C7457d11FB9523f5745acb49fDc1e tEthEthRate_Provider Provides tETH/ETH price using stETH/ETH CL oracle	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x4bd1ec6cDaD93B3C6219ceDA018ECaf8D655Fa8d tEthethExchangeRateProvider Provides tETH/ETH price using exchange rate	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xcbb64b15b0c14645A9216a4Caf57B33AA9bA2860 FixedRateProvider Returns a fixed rate of 1:1	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xf5760a2f36a8A3Bf57cfc8376B046669A7FbbF08 DWSTETHV3RateProvider	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x22261B4D6F629D8cF946C3524df86bF7222901F6 Multisig Wallet Owner address of multiple Treehosue contracts, such as: Vault, Strategy Executor, PnL, strategy storage, Router	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x608a60E587666766F855c1aDffc99851f9d44C62 MS Accounting Executor address on PnL Accounting contract, It's used to execute doAccounting function	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x57bB3aA2d0DD7ee9bDbe24c6d2fB32c128234064 MS Rebalancing Executor address on Strategy Executor contract, used to execute executeOnStrategy function	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x28624ff9c0dbB899CeE659C676d1b761aDbbc45b Mutisig Wallet - Base	Smart Contract	Critical	Bounty
https://etherscan.io/address/0xd09ACb80C1E8f2291862c4978A008791c9167003 tETH token tETH token proxy contract on abritrum chain	Smart Contract	Critical	Bounty
https://etherscan.io/address/0x0C3603B0c299e680A5Af4dC83a962d66E852903B tETH Mint Burn Token Pool Support tETH bridging transactions from mainnet to arbitrum. This contract will mint new token for tETH bridged to arbitrum, and burn tETH if token is bridged back to mainnet	Smart Contract	Critical	Bounty

Focus Area

IN-SCOPE: SMART CONTRACT VULNERABILITIES

We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality:
Stealing or loss of funds
Unauthorized transaction
Transaction manipulation
Attacks on logic (behavior of the code is different from the business description)
Reentrancy
Reordering
Over and underflows

OUT OF SCOPE: SMART CONTRACT VULNERABILITIES

Theoretical vulnerabilities without any proof or demonstration
Old compiler version
The compiler version is not locked
Vulnerabilities in imported contracts
Code style guide violations
Redundant code
Gas optimizations
Best practice issues

Program Rules

Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
Make every effort not to damage or restrict the availability of products, services, or infrastructure
Avoid compromising any personal data, interruption, or degradation of any service
Don’t access or modify other user data, localize all tests to your accounts
Perform testing only within the scope
Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
Don’t spam forms or account creation flows using automated scanners
In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
Don’t break any law and stay in the defined scope
Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
For more information, check: https://docs.treehouse.finance/protocol

Disclosure Guidelines

Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
No vulnerability disclosure, including partial is allowed for the moment.
Please do NOT publish/discuss bugs

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
You must not be a former or current employee of us or one of its contractor.
ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
Provide detailed but to-the point reproduction steps

Scope

In Scope

https://etherscan.io/address/0xD11c452fc99cF405034ee446803b6F6c1F6d5ED8

https://etherscan.io/address/0xD1A622566F277AA76c3C47A30469432AAec95E38

https://etherscan.io/address/0x1B6238E95bBCABEE58997c99BaDD4154ad68BA92

https://etherscan.io/address/0xeFA3fa8e85D2b3CfdB250CdeA156c2c6C90628F5

https://etherscan.io/address/0x551d155760ae96050439AD24Ae98A96c765d761B

https://etherscan.io/address/0xcd63a29FAfF07130d3Af89bB4f40778938AaBB85

https://etherscan.io/address/0x829525417Cd78CBa0f99A8736426fC299506C0d6

https://etherscan.io/address/0x434B68B11bBE8FD3074089397cA3d275801d6354

https://etherscan.io/address/0xdF2eE409BEe416A53b5C040d8e6dAD4a7cEb2510

https://etherscan.io/address/0x8113f001ea456759264317007220cbc939ca8435

https://etherscan.io/address/0x5E4ACCa7a9989007cD74aE4ed1b096c000779DCC

https://etherscan.io/address/0xCf1787F70533b4cFb5B2f727d8D024107518943a

https://etherscan.io/address/0xFe964d3E779752C7598985436A8598F13f22F6F4

https://etherscan.io/address/0x97c03F52244E60BB18511Cbf03f890D5886f1F47

https://etherscan.io/address/0x89f57D3617F6a9FF877fEa34Dd0688b2840Ef50e

https://etherscan.io/address/0xb1593193Bcd7CEcc3d19597658003d735D1e9E94

https://etherscan.io/address/0x60d2D94aCB969CA54e781007eE89F04c1A2e5943

https://etherscan.io/address/0x5aE0e44DE96885702bD99A6914751C952d284938

https://etherscan.io/address/0xB27D688Ac06a441c005657971B11521e80CdcE98

https://etherscan.io/address/0xbfdF0aF6Df48E645Bd076802B95DDEf0b1E02a9d

https://etherscan.io/address/0x150d67ad07700918FC77d7fD2e78967693718Ece

https://etherscan.io/address/0x8793164ae37E5fAE2cdf7620F4D4DC615bC22f31

https://etherscan.io/address/0x94aF5994EB6841e1D930C95AD0C9F89771c3073F

https://etherscan.io/address/0xbdFb29cCD82dB3ccf462F3CB600892b2E6f185C7

https://etherscan.io/address/0xb8cD2bA2A0Ada353aE15398618Fafb1d7BD558C5

https://etherscan.io/address/0x99eAe56224EA5Bcb2c886D0a07154217b7A1E5d1

https://etherscan.io/address/0x3e34E0694204e462Deaf8EBbeEE2bE9F887f3C3b

https://etherscan.io/address/0x160F1f3a512Fa7cCefA0eb08f881282c05d6eb0f

https://etherscan.io/address/0x313Ca6136521D22A7Ea763B3566Ed0B53F5B3AB9

https://etherscan.io/address/0xc780112305ED959CEEeb0DE692E2407E4145Fc3A

https://etherscan.io/address/0x03a993369b5b6290D412b63d29f3bC2dC13f5e61

https://etherscan.io/address/0xEE1F8dc0135EE9dC2e00fac3817b9C530d34B6ba

https://etherscan.io/address/0x3503152722beeE269E9B4E0921F2c3D44C90d2b5

https://etherscan.io/address/0x71f4d0A74b7F1BB07cc767dC2f4b436E907476DC

https://etherscan.io/address/0x819Bdb303e224CaC4aC14Da17a1ec13895869b65

https://etherscan.io/address/0x0039d822156FF2FD28ac6e19A518660890fcD2E0

https://etherscan.io/address/0x351dd4581d61BCE7101FDf5f6864D510021c7CaB

https://etherscan.io/address/0x5a2FA3b7e027D6bf307B166311763972eAd1747E

https://etherscan.io/address/0x47F04d3F7361371AEA6F53CF0f44976904Aa49Fe

https://etherscan.io/address/0xaC3388367E427DC2B29F5167A5009851AC26b32F

https://etherscan.io/address/0xB55db668F209AB707c90Aa949182B6071f00330b

https://etherscan.io/address/0x24f034051cA0A24de9a5192B91f61C3edBc6d093

https://etherscan.io/address/0x0fd6AFFaedd3e883170B17B41b925D3216fB3960

https://etherscan.io/address/0xa0773fB76Cfd4cF6747C455de79c3dE94F853744

https://etherscan.io/address/0xbE3600b2a1E9ad19075A96cEF413b844D81Aa3cC

https://etherscan.io/address/0xb7Ce3cb5Bc5c00cd2f9B39d9b0580f5355535709

https://etherscan.io/address/0x86b238787f24EEcF24500135BC9D4D117062b6E6

https://etherscan.io/address/0xe2d60463dE3a0221276D737b87C605e0BB5451E9

https://etherscan.io/address/0xfdA0B8bcA5d0A5A5093141D8a45D133A9f09B258

https://etherscan.io/address/0xf754727f48b286A1f4A0507566167Fdfe6fEb8dd

https://etherscan.io/address/0xa0a105E10801B52Bf89a042bDB40c7389E57aF36

https://etherscan.io/address/0x4c82F6829797A4174a082CE9FEE0B9BDDc1E5E39

https://etherscan.io/address/0xFF62aD6200a54ffF9288c997f8ca2d480A0C48bC

https://etherscan.io/address/0xDD317b85f7Bd56361e2e3216610803e433aCaEa7

https://etherscan.io/address/0xA14A1A1646980c2B78Eddd51B66EC220AEfE6109

https://etherscan.io/address/0x7c0eDbbB862b27C04689202ef6B3B2fd6B8852c0

https://etherscan.io/address/0xd7f100067952f0ebCF70461Bc09aa1cA973E79de

https://etherscan.io/address/0xD0B6c01e9A8d21Ed05726f9020B577a614BeDCe7

https://etherscan.io/address/0x077C2122e96C7457d11FB9523f5745acb49fDc1e

https://etherscan.io/address/0x4bd1ec6cDaD93B3C6219ceDA018ECaf8D655Fa8d

https://etherscan.io/address/0xcbb64b15b0c14645A9216a4Caf57B33AA9bA2860

https://etherscan.io/address/0xf5760a2f36a8A3Bf57cfc8376B046669A7FbbF08

https://etherscan.io/address/0x22261B4D6F629D8cF946C3524df86bF7222901F6

https://etherscan.io/address/0x608a60E587666766F855c1aDffc99851f9d44C62

https://etherscan.io/address/0x57bB3aA2d0DD7ee9bDbe24c6d2fB32c128234064

https://etherscan.io/address/0x28624ff9c0dbB899CeE659C676d1b761aDbbc45b

https://etherscan.io/address/0xd09ACb80C1E8f2291862c4978A008791c9167003

https://etherscan.io/address/0x0C3603B0c299e680A5Af4dC83a962d66E852903B

Focus Area

IN-SCOPE: SMART CONTRACT VULNERABILITIES

OUT OF SCOPE: SMART CONTRACT VULNERABILITIES

Program Rules

Disclosure Guidelines

Eligibility and Coordinated Disclosure

Rewards

Range of bounty

Severity

Stats

SLA
(Service Level Agreement)

Time within which the program's triage team must respond