Tetu is the money lego asset management that provides automated DeFi solutions. With Tetu, users can unlock the web3 finance
In Scope
Target | Type | Severity | Reward |
---|---|---|---|
https://polygonscan.com/address/0x255707b70bf90aa112006e1b07b9aea6de021424Smart Contract - TETU Token |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x6678814c273d5088114B6E40cC49C8DB04F9bC29Smart Contract - Controller |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x286c02C93f3CF48BB759A93756779A1C78bCF833Smart Contract - Announcer |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0xD3a69BfaC779AE0D97ae7c4f1Bb77d2Be6C2B943Smart Contract - ForwarderV2 |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x0A0846c978a56D6ea9D2602eeb8f977B21F3207FSmart Contract - Bookkeeper |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x81367059892aa1D8503a79a0Af9254DD0a09afBFSmart Contract - MintHelper |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x7ad5935ea295c4e743e4f2f5b4cda951f41223c2Smart Contract - FundKeeper |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x7fc9e0aa043787bfad28e29632ada302c790ce33Smart Contract - tetuBAL(poly) |
Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xFE700D523094Cc6C673d78F1446AE0743C89586ESmart Contract - tetuBAL(eth) |
Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x9cc56fa7734da21ac88f6a816af10c5b898596ceSmart Contract - BalLocker(eth) |
Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xBb84098e47d217f51cB014f692eada1F2280a179Smart Contract - BalDepositor |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x6fb29dd17fa6e27bd112bc3a2d0b8dae597aeda4Smart Contract - veTETU |
Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/proxy/ProxyControlled.solProxyControlled.sol |
Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/proxy/UpgradeableProxy.solUpgradeableProxy.sol |
Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/strategy/StrategyBaseV2.solStrategyBaseV2.sol |
Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/strategy/StrategyLib.solStrategyLib.sol |
Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/ERC4626Upgradeable.solERC4626Upgradeable.sol |
Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/StrategySplitterV2.solStrategySplitterV2.sol |
Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/TetuVaultV2.solTetuVaultV2.sol |
Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/VaultInsurance.solVaultInsurance.sol |
Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/ve/VeTetu.solVeTetu.sol |
Smart Contract | Critical | Bounty |
GENERAL
- Payouts are done in TETU.
- All smart contracts of TETU can be found at https://github.com/tetu-io/tetu-contracts. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Critical
Smart Contracts
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Protocol Insolvency
High
Smart Contracts
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds
- Any governance voting result manipulation
- Miner-extractable value (MEV)
Medium
Smart Contracts
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
Out of Scope
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist).
Smart Contracts and Blockchain:
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
- Provide detailed but to-the point reproduction steps