'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Bug bounty 
Triaged by HackenproofTreehouse Smart Contracts: Program info
Treehouse Smart Contracts
Company: Treehouse FinanceTreehouse is a decentralized application that introduces Treehouse Assets (tAssets) and Decentralized Offered Rates (DOR), new primitives that enable fixed income products in digital assets.
| Target | Type | Severity | Reward |
|---|---|---|---|
https://etherscan.io/address/0xD11c452fc99cF405034ee446803b6F6c1F6d5ED8  Copy  Copied tETH token - proxy address | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xD1A622566F277AA76c3C47A30469432AAec95E38 Copy Copied tAsset Implemenation tETH token - implemantation address | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x1B6238E95bBCABEE58997c99BaDD4154ad68BA92 Copy Copied IAU_wstETH Internal Accounting contract to manage deposited wstETH amount into Vault and record generated wstETH yield from Strategy | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xeFA3fa8e85D2b3CfdB250CdeA156c2c6C90628F5 Copy Copied tETH_router Interaction contract for depositing ETH/ WETH/ wstETH/ stETH | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x551d155760ae96050439AD24Ae98A96c765d761B Copy Copied tETH_Vault Store all converted/deposited wstETH from depositors. Funds in this vault afterward will be used for deploying investment strategy and ready for user withdrawals | Web | Critical | Bounty |
https://etherscan.io/address/0xcd63a29FAfF07130d3Af89bB4f40778938AaBB85 Copy Copied TreehouseRedemptionV2 Interaction contract for redeeming wstETH with 7 waiting days period | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x829525417Cd78CBa0f99A8736426fC299506C0d6 Copy Copied TreehouseFastlane Interaction contract for redeeming wstETH instantly | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x434B68B11bBE8FD3074089397cA3d275801d6354 Copy Copied TreehouseFastlaneFee Manage Instant redemption % fee | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xdF2eE409BEe416A53b5C040d8e6dAD4a7cEb2510 Copy Copied RedemptionController Manages Redemption contract addresses, and make the final redeem request to Vault to transfer wstETH to redeemers | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x8113f001ea456759264317007220cbc939ca8435 Copy Copied tETH Lock Release Token Pool Support tETH bridging transactions from mainnet to arbitrum. For every bridge transaction of tETH to arbitrum chain, an equivalent amount of tETH will be locked in this contract and vice versa | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x5E4ACCa7a9989007cD74aE4ed1b096c000779DCC Copy Copied Simple Staking ERC20 Interaction contract for staking allowed LP tokens | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xCf1787F70533b4cFb5B2f727d8D024107518943a Copy Copied Curve.fi tETHwstETH Gauge Liquidity farm pool for Curve tETH LP token | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xFe964d3E779752C7598985436A8598F13f22F6F4 Copy Copied Curve.fi tETHweETH Gauge Liquidity farm pool for Curve tETH LP token | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x97c03F52244E60BB18511Cbf03f890D5886f1F47 Copy Copied StrategyStorage Store strategies information (id, address, action id, asset). Manage active strategy addresses, and strategy executor address | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x89f57D3617F6a9FF877fEa34Dd0688b2840Ef50e Copy Copied Strategy Executor Entry point for executing actions on strategy contracts. Manage active executor address | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xb1593193Bcd7CEcc3d19597658003d735D1e9E94 Copy Copied ActionExecutor Implementation contract of Strategy Address contract, used to execute a list of action contracts in sequence | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x60d2D94aCB969CA54e781007eE89F04c1A2e5943 Copy Copied Strategy0 - Aave Core Strategy contract to execute pre-defined logic on Aave V3 core market | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x5aE0e44DE96885702bD99A6914751C952d284938 Copy Copied Strategy1 - Spark Strategy contract to execute pre-defined logic on Spark market | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xB27D688Ac06a441c005657971B11521e80CdcE98 Copy Copied Strategy2 - Aave Prime Strategy contract to execute pre-defined logic on Aave V3 Prime market | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xbfdF0aF6Df48E645Bd076802B95DDEf0b1E02a9d Copy Copied Strategy3 - Gearbox Strategy contract to execute pre-defined logic on Gearbox wstETH pool | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x150d67ad07700918FC77d7fD2e78967693718Ece Copy Copied GearboxRedeem Action to withdraw wstETH from Gearbox wstETH pool | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x8793164ae37E5fAE2cdf7620F4D4DC615bC22f31 Copy Copied GearboxDeposit Action to supply wstETH to Gearbox wstETH pool | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x94aF5994EB6841e1D930C95AD0C9F89771c3073F Copy Copied ActionRegistry Manage action contract addresses and Id | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xbdFb29cCD82dB3ccf462F3CB600892b2E6f185C7 Copy Copied LidoStake Action to stake ETH and WETH to Lido | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xb8cD2bA2A0Ada353aE15398618Fafb1d7BD558C5 Copy Copied LidoUnwrap Action to unwrap wstETH to stETH | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x99eAe56224EA5Bcb2c886D0a07154217b7A1E5d1 Copy Copied LidoWithdrawClaim Action to withdraw from Lido | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x3e34E0694204e462Deaf8EBbeEE2bE9F887f3C3b Copy Copied LidoWithdrawStart Action to withdraw from Lido | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x160F1f3a512Fa7cCefA0eb08f881282c05d6eb0f Copy Copied LidoWrap Action to wrap stETH to wstETH | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x313Ca6136521D22A7Ea763B3566Ed0B53F5B3AB9 Copy Copied VaultPull Action to withdraw wstETH from Strategy contract back to Vault contract | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xc780112305ED959CEEeb0DE692E2407E4145Fc3A Copy Copied VaultSend Action to transfer wstETH from Vault to Strategy contract | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x03a993369b5b6290D412b63d29f3bC2dC13f5e61 Copy Copied ProtocolPoolController Manage protocol and pool information, such as protocol name, pool address, and data provider address | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xEE1F8dc0135EE9dC2e00fac3817b9C530d34B6ba Copy Copied aaveV3Borrow Action to borrow WETH from Aave V3 | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x3503152722beeE269E9B4E0921F2c3D44C90d2b5 Copy Copied aaveV3Supply Action to supply wstETH to Aave V3 | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x71f4d0A74b7F1BB07cc767dC2f4b436E907476DC Copy Copied aaveV3Payback Action to repay Aave v3 debt | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x819Bdb303e224CaC4aC14Da17a1ec13895869b65 Copy Copied aaveV3SetEMode Action to set the loan to E-mode | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x0039d822156FF2FD28ac6e19A518660890fcD2E0 Copy Copied aaveV3Withdraw Action to withdraw wstETH from Aave V3 | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x351dd4581d61BCE7101FDf5f6864D510021c7CaB Copy Copied aaveV3HealthFactorCheck Action to query Health Factor for the debt in Aave V3 | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x5a2FA3b7e027D6bf307B166311763972eAd1747E Copy Copied aaveV3ClaimRewards Action to claim rewards from Aave V3 | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x47F04d3F7361371AEA6F53CF0f44976904Aa49Fe Copy Copied sparkBorrow Action to borrow WETH from Spark | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xaC3388367E427DC2B29F5167A5009851AC26b32F Copy Copied sparkSupply Action to supply wstETH to Spark | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xB55db668F209AB707c90Aa949182B6071f00330b Copy Copied sparkPayback Action to repay Aave v3 debt | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x24f034051cA0A24de9a5192B91f61C3edBc6d093 Copy Copied sparkSetEMode Action to set the loan to E-mode | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x0fd6AFFaedd3e883170B17B41b925D3216fB3960 Copy Copied sparkWithdraw Action to withdraw wstETH from Spark | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xa0773fB76Cfd4cF6747C455de79c3dE94F853744 Copy Copied sparkHealthFactorCheck Action to query Health Factor for the debt in Spark | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xbE3600b2a1E9ad19075A96cEF413b844D81Aa3cC Copy Copied sparkClaimRewards Action to claim rewards from Spark | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xb7Ce3cb5Bc5c00cd2f9B39d9b0580f5355535709 Copy Copied TreehouseAccounting Treehoouse Accounting contract | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x86b238787f24EEcF24500135BC9D4D117062b6E6 Copy Copied NavHelper Contract to calculate Treehouse NAV | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xe2d60463dE3a0221276D737b87C605e0BB5451E9 Copy Copied NavRegistry | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xfdA0B8bcA5d0A5A5093141D8a45D133A9f09B258 Copy Copied NavLens | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xf754727f48b286A1f4A0507566167Fdfe6fEb8dd Copy Copied NavAaveV3 | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xa0a105E10801B52Bf89a042bDB40c7389E57aF36 Copy Copied NavErc20 | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x4c82F6829797A4174a082CE9FEE0B9BDDc1E5E39 Copy Copied NavUnStEth | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xFF62aD6200a54ffF9288c997f8ca2d480A0C48bC Copy Copied NavErc20WithDebt To fix price discrepancy with spark oracle | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xDD317b85f7Bd56361e2e3216610803e433aCaEa7 Copy Copied PnlAccounting V2 Contract to calculate and realize Treehouse's Profit and Loss | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xA14A1A1646980c2B78Eddd51B66EC220AEfE6109 Copy Copied WstETH_Rate_Provider Provides wstETH/stETH, and wstETH/ETH rate | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x7c0eDbbB862b27C04689202ef6B3B2fd6B8852c0 Copy Copied steth_Eth_Oracle Provides stETH/ETH rate | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xd7f100067952f0ebCF70461Bc09aa1cA973E79de Copy Copied usd_Eth_Oracle Provides ETH/ USD rate | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xD0B6c01e9A8d21Ed05726f9020B577a614BeDCe7 Copy Copied Rate Provider Registry Provides ETH/USD, wstETH/ETH, and stETH/ETH rate | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x077C2122e96C7457d11FB9523f5745acb49fDc1e Copy Copied tEth_Eth_Rate_Provider Provides tETH/ETH price using stETH/ETH CL oracle | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x4bd1ec6cDaD93B3C6219ceDA018ECaf8D655Fa8d Copy Copied tEth_eth_ExchangeRateProvider Provides tETH/ETH price using exchange rate | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xcbb64b15b0c14645A9216a4Caf57B33AA9bA2860 Copy Copied FixedRateProvider Returns a fixed rate of 1:1 | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xf5760a2f36a8A3Bf57cfc8376B046669A7FbbF08 Copy Copied DWSTETHV3RateProvider | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x22261B4D6F629D8cF946C3524df86bF7222901F6 Copy Copied Multisig Wallet Owner address of multiple Treehosue contracts, such as: Vault, Strategy Executor, PnL, strategy storage, Router | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x608a60E587666766F855c1aDffc99851f9d44C62 Copy Copied MS Accounting Executor address on PnL Accounting contract, It's used to execute doAccounting function | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x57bB3aA2d0DD7ee9bDbe24c6d2fB32c128234064 Copy Copied MS Rebalancing Executor address on Strategy Executor contract, used to execute executeOnStrategy function | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x28624ff9c0dbB899CeE659C676d1b761aDbbc45b Copy Copied Mutisig Wallet - Base | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xd09ACb80C1E8f2291862c4978A008791c9167003 Copy Copied tETH token tETH token proxy contract on abritrum chain | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x0C3603B0c299e680A5Af4dC83a962d66E852903B Copy Copied tETH Mint Burn Token Pool Support tETH bridging transactions from mainnet to arbitrum. This contract will mint new token for tETH bridged to arbitrum, and burn tETH if token is bridged back to mainnet | Smart Contract | Critical | Bounty |
Copied tETH token - proxy address
Copied tAsset Implemenation tETH token - implemantation address
Copied IAU_wstETH Internal Accounting contract to manage deposited wstETH amount into Vault and record generated wstETH yield from Strategy
Copied tETH_router Interaction contract for depositing ETH/ WETH/ wstETH/ stETH
Copied tETH_Vault Store all converted/deposited wstETH from depositors. Funds in this vault afterward will be used for deploying investment strategy and ready for user withdrawals
Copied TreehouseRedemptionV2 Interaction contract for redeeming wstETH with 7 waiting days period
Copied TreehouseFastlane Interaction contract for redeeming wstETH instantly
Copied TreehouseFastlaneFee Manage Instant redemption % fee
Copied RedemptionController Manages Redemption contract addresses, and make the final redeem request to Vault to transfer wstETH to redeemers
Copied tETH Lock Release Token Pool Support tETH bridging transactions from mainnet to arbitrum. For every bridge transaction of tETH to arbitrum chain, an equivalent amount of tETH will be locked in this contract and vice versa
Copied Simple Staking ERC20 Interaction contract for staking allowed LP tokens
Copied Curve.fi tETHwstETH Gauge Liquidity farm pool for Curve tETH LP token
Copied Curve.fi tETHweETH Gauge Liquidity farm pool for Curve tETH LP token
Copied StrategyStorage Store strategies information (id, address, action id, asset). Manage active strategy addresses, and strategy executor address
Copied Strategy Executor Entry point for executing actions on strategy contracts. Manage active executor address
Copied ActionExecutor Implementation contract of Strategy Address contract, used to execute a list of action contracts in sequence
Copied Strategy0 - Aave Core Strategy contract to execute pre-defined logic on Aave V3 core market
Copied Strategy1 - Spark Strategy contract to execute pre-defined logic on Spark market
Copied Strategy2 - Aave Prime Strategy contract to execute pre-defined logic on Aave V3 Prime market
Copied Strategy3 - Gearbox Strategy contract to execute pre-defined logic on Gearbox wstETH pool
Copied GearboxRedeem Action to withdraw wstETH from Gearbox wstETH pool
Copied GearboxDeposit Action to supply wstETH to Gearbox wstETH pool
Copied ActionRegistry Manage action contract addresses and Id
Copied LidoStake Action to stake ETH and WETH to Lido
Copied LidoUnwrap Action to unwrap wstETH to stETH
Copied LidoWithdrawClaim Action to withdraw from Lido
Copied LidoWithdrawStart Action to withdraw from Lido
Copied LidoWrap Action to wrap stETH to wstETH
Copied VaultPull Action to withdraw wstETH from Strategy contract back to Vault contract
Copied VaultSend Action to transfer wstETH from Vault to Strategy contract
Copied ProtocolPoolController Manage protocol and pool information, such as protocol name, pool address, and data provider address
Copied aaveV3Borrow Action to borrow WETH from Aave V3
Copied aaveV3Supply Action to supply wstETH to Aave V3
Copied aaveV3Payback Action to repay Aave v3 debt
Copied aaveV3SetEMode Action to set the loan to E-mode
Copied aaveV3Withdraw Action to withdraw wstETH from Aave V3
Copied aaveV3HealthFactorCheck Action to query Health Factor for the debt in Aave V3
Copied aaveV3ClaimRewards Action to claim rewards from Aave V3
Copied sparkBorrow Action to borrow WETH from Spark
Copied sparkSupply Action to supply wstETH to Spark
Copied sparkPayback Action to repay Aave v3 debt
Copied sparkSetEMode Action to set the loan to E-mode
Copied sparkWithdraw Action to withdraw wstETH from Spark
Copied sparkHealthFactorCheck Action to query Health Factor for the debt in Spark
Copied sparkClaimRewards Action to claim rewards from Spark
Copied TreehouseAccounting Treehoouse Accounting contract
Copied NavHelper Contract to calculate Treehouse NAV
Copied NavRegistry
Copied NavLens
Copied NavAaveV3
Copied NavErc20
Copied NavUnStEth
Copied NavErc20WithDebt To fix price discrepancy with spark oracle
Copied PnlAccounting V2 Contract to calculate and realize Treehouse's Profit and Loss
Copied WstETH_Rate_Provider Provides wstETH/stETH, and wstETH/ETH rate
Copied steth_Eth_Oracle Provides stETH/ETH rate
Copied usd_Eth_Oracle Provides ETH/ USD rate
Copied Rate Provider Registry Provides ETH/USD, wstETH/ETH, and stETH/ETH rate
Copied tEth_Eth_Rate_Provider Provides tETH/ETH price using stETH/ETH CL oracle
Copied tEth_eth_ExchangeRateProvider Provides tETH/ETH price using exchange rate
Copied FixedRateProvider Returns a fixed rate of 1:1
Copied DWSTETHV3RateProvider
Copied Multisig Wallet Owner address of multiple Treehosue contracts, such as: Vault, Strategy Executor, PnL, strategy storage, Router
Copied MS Accounting Executor address on PnL Accounting contract, It's used to execute doAccounting function
Copied MS Rebalancing Executor address on Strategy Executor contract, used to execute executeOnStrategy function
Copied Mutisig Wallet - Base
Copied tETH token tETH token proxy contract on abritrum chain
Copied tETH Mint Burn Token Pool Support tETH bridging transactions from mainnet to arbitrum. This contract will mint new token for tETH bridged to arbitrum, and burn tETH if token is bridged back to mainnet
Focus Area
IN-SCOPE: SMART CONTRACT VULNERABILITIES
- We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality:
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Attacks on logic (behavior of the code is different from the business description)
- Reentrancy
- Reordering
- Over and underflows
OUT OF SCOPE: SMART CONTRACT VULNERABILITIES
- Theoretical vulnerabilities without any proof or demonstration
- Old compiler version
- The compiler version is not locked
- Vulnerabilities in imported contracts
- Code style guide violations
- Redundant code
- Gas optimizations
- Best practice issues
Program Rules
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- For more information, check: https://docs.treehouse.finance/protocol
Disclosure Guidelines
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
Eligibility and Coordinated Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
- Provide detailed but to-the point reproduction steps
Rewards '%3e%3cpath%20d='M3%2021H24V24H0V0H3V21ZM6.75%2019.5C6.44587%2019.5006%206.14477%2019.4396%205.8649%2019.3205C5.58502%2019.2015%205.33219%2019.027%205.12167%2018.8075C4.91115%2018.588%204.74731%2018.3281%204.64006%2018.0435C4.5328%2017.7589%204.48436%2017.4555%204.49766%2017.1517C4.51095%2016.8478%204.58571%2016.5498%204.71741%2016.2757C4.84911%2016.0015%205.03502%2015.7569%205.2639%2015.5567C5.49279%2015.3564%205.7599%2015.2046%206.0491%2015.1105C6.3383%2015.0164%206.64358%2014.9818%206.9465%2015.009L9.3645%2010.9785C9.1434%2010.639%209.0181%2010.246%209.00182%209.84115C8.98554%209.43629%209.07888%209.03455%209.272%208.67835C9.46512%208.32215%209.75084%208.02471%2010.099%207.81743C10.4472%207.61016%2010.8448%207.50074%2011.25%207.50074C11.6552%207.50074%2012.0528%207.61016%2012.401%207.81743C12.7492%208.02471%2013.0349%208.32215%2013.228%208.67835C13.4211%209.03455%2013.5145%209.43629%2013.4982%209.84115C13.4819%2010.246%2013.3566%2010.639%2013.1355%2010.9785L15.5535%2015.009C15.6682%2014.9987%2015.7836%2014.9977%2015.8985%2015.006L19.8915%208.019C19.6046%207.59868%2019.4686%207.0935%2019.5058%206.58594C19.543%206.07837%2019.7511%205.59841%2020.0963%205.22442C20.4415%204.85043%2020.9032%204.60449%2021.4062%204.52678C21.9091%204.44906%2022.4236%204.54415%2022.8655%204.79653C23.3075%205.0489%2023.6508%205.44364%2023.8395%205.91631C24.0281%206.38897%2024.051%206.91163%2023.9043%207.39896C23.7576%207.88628%2023.45%208.30948%2023.0317%208.59945C22.6135%208.88942%2022.1093%209.02903%2021.6015%208.9955L17.6085%2015.9825C17.8379%2016.319%2017.9717%2016.7114%2017.9956%2017.118C18.0195%2017.5245%2017.9326%2017.9299%2017.7442%2018.291C17.5558%2018.652%2017.2729%2018.9552%2016.9258%2019.1681C16.5786%2019.381%2016.1802%2019.4957%2015.7729%2019.4999C15.3657%2019.5041%2014.965%2019.3978%2014.6134%2019.1922C14.2619%2018.9865%2013.9728%2018.6893%2013.7769%2018.3323C13.581%2017.9753%2013.4857%2017.5717%2013.5011%2017.1648C13.5165%2016.7578%2013.6421%2016.3627%2013.8645%2016.0215L11.4465%2011.991C11.3158%2012.0031%2011.1842%2012.0031%2011.0535%2011.991L8.6355%2016.0215C8.85679%2016.3611%208.98226%2016.7541%208.99864%2017.159C9.01503%2017.564%208.92172%2017.9659%208.72858%2018.3222C8.53544%2018.6785%208.24963%2018.9761%207.90137%2019.1834C7.5531%2019.3907%207.1553%2019.5001%206.75%2019.5Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2777_6507'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Stats 
Types'%3e%3cpath%20d='M16%208.10685L12.0364%2013.0212L10.5818%2012.0459L13.7745%208.10685L10.5818%204.16784L12.0364%203.19254L16%208.10685ZM5.69273%204.16784L3.96364%203.19254L0%208.10685L3.96364%2013.0212L5.69273%2012.0459L2.5%208.10685L5.69273%204.16784ZM5.5%2015.1069L7.23091%2015.6069L10.9909%201L9.26%200.5L5.5%2015.1069Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2689_5375'%3e%3crect%20width='16'%20height='16'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Languages
Project types
Hackers (29) View all
