'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Bug bounty 
Triaged by HackenproofTETU Smart Contracts: Program info
TETU Smart Contracts
Company: TETU EndedProgram left 354 days ago
Program infoHackers (11)Reports
Tetu is the money lego asset management that provides automated DeFi solutions. With Tetu, users can unlock the web3 finance
In scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://polygonscan.com/address/0x255707b70bf90aa112006e1b07b9aea6de021424  Copy  Copied Smart Contract - TETU Token | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x6678814c273d5088114B6E40cC49C8DB04F9bC29 Copy Copied Smart Contract - Controller | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x286c02C93f3CF48BB759A93756779A1C78bCF833 Copy Copied Smart Contract - Announcer | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0xD3a69BfaC779AE0D97ae7c4f1Bb77d2Be6C2B943 Copy Copied Smart Contract - ForwarderV2 | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x0A0846c978a56D6ea9D2602eeb8f977B21F3207F Copy Copied Smart Contract - Bookkeeper | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x81367059892aa1D8503a79a0Af9254DD0a09afBF Copy Copied Smart Contract - MintHelper | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x7ad5935ea295c4e743e4f2f5b4cda951f41223c2 Copy Copied Smart Contract - FundKeeper | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x7fc9e0aa043787bfad28e29632ada302c790ce33 Copy Copied Smart Contract - tetuBAL(poly) | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xFE700D523094Cc6C673d78F1446AE0743C89586E Copy Copied Smart Contract - tetuBAL(eth) | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0x9cc56fa7734da21ac88f6a816af10c5b898596ce Copy Copied Smart Contract - BalLocker(eth) | Smart Contract | Critical | Bounty |
https://etherscan.io/address/0xBb84098e47d217f51cB014f692eada1F2280a179 Copy Copied Smart Contract - BalDepositor | Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x6fb29dd17fa6e27bd112bc3a2d0b8dae597aeda4 Copy Copied Smart Contract - veTETU | Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/proxy/ProxyControlled.sol Copy Copied ProxyControlled.sol | Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/proxy/UpgradeableProxy.sol Copy Copied UpgradeableProxy.sol | Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/strategy/StrategyBaseV2.sol Copy Copied StrategyBaseV2.sol | Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/strategy/StrategyLib.sol Copy Copied StrategyLib.sol | Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/ERC4626Upgradeable.sol Copy Copied ERC4626Upgradeable.sol | Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/StrategySplitterV2.sol Copy Copied StrategySplitterV2.sol | Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/TetuVaultV2.sol Copy Copied TetuVaultV2.sol | Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/VaultInsurance.sol Copy Copied VaultInsurance.sol | Smart Contract | Critical | Bounty |
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/ve/VeTetu.sol Copy Copied VeTetu.sol | Smart Contract | Critical | Bounty |
Target Copied
https://polygonscan.com/address/0x255707b70bf90aa112006e1b07b9aea6de021424
Copy
Copied Smart Contract - TETU Token
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://polygonscan.com/address/0x6678814c273d5088114B6E40cC49C8DB04F9bC29
Copy
Copied Smart Contract - Controller
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://polygonscan.com/address/0x286c02C93f3CF48BB759A93756779A1C78bCF833
Copy
Copied Smart Contract - Announcer
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://polygonscan.com/address/0xD3a69BfaC779AE0D97ae7c4f1Bb77d2Be6C2B943
Copy
Copied Smart Contract - ForwarderV2
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://polygonscan.com/address/0x0A0846c978a56D6ea9D2602eeb8f977B21F3207F
Copy
Copied Smart Contract - Bookkeeper
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://polygonscan.com/address/0x81367059892aa1D8503a79a0Af9254DD0a09afBF
Copy
Copied Smart Contract - MintHelper
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://polygonscan.com/address/0x7ad5935ea295c4e743e4f2f5b4cda951f41223c2
Copy
Copied Smart Contract - FundKeeper
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://polygonscan.com/address/0x7fc9e0aa043787bfad28e29632ada302c790ce33
Copy
Copied Smart Contract - tetuBAL(poly)
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://etherscan.io/address/0xFE700D523094Cc6C673d78F1446AE0743C89586E
Copy
Copied Smart Contract - tetuBAL(eth)
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://etherscan.io/address/0x9cc56fa7734da21ac88f6a816af10c5b898596ce
Copy
Copied Smart Contract - BalLocker(eth)
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://etherscan.io/address/0xBb84098e47d217f51cB014f692eada1F2280a179
Copy
Copied Smart Contract - BalDepositor
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://polygonscan.com/address/0x6fb29dd17fa6e27bd112bc3a2d0b8dae597aeda4
Copy
Copied Smart Contract - veTETU
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/proxy/ProxyControlled.sol
Copy
Copied ProxyControlled.sol
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/proxy/UpgradeableProxy.sol
Copy
Copied UpgradeableProxy.sol
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/strategy/StrategyBaseV2.sol
Copy
Copied StrategyBaseV2.sol
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/strategy/StrategyLib.sol
Copy
Copied StrategyLib.sol
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/ERC4626Upgradeable.sol
Copy
Copied ERC4626Upgradeable.sol
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/StrategySplitterV2.sol
Copy
Copied StrategySplitterV2.sol
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/TetuVaultV2.sol
Copy
Copied TetuVaultV2.sol
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/vault/VaultInsurance.sol
Copy
Copied VaultInsurance.sol
TypeSmart Contract
Severity Critical
RewardBounty
Target Copied
https://github.com/tetu-io/tetu-contracts-v2/blob/master/contracts/ve/VeTetu.sol
Copy
Copied VeTetu.sol
TypeSmart Contract
Severity Critical
RewardBounty
Focus Area
GENERAL
- Payouts are done in TETU.
- All smart contracts of TETU can be found at https://github.com/tetu-io/tetu-contracts. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Critical
Smart Contracts
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Protocol Insolvency
High
Smart Contracts
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds
- Any governance voting result manipulation
- Miner-extractable value (MEV)
Medium
Smart Contracts
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
Out of Scope
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist).
Smart Contracts and Blockchain:
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
Program Rules
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
Disclosure Guidelines
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
Eligibility and Coordinated Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
- Provide detailed but to-the point reproduction steps
Rewards Range of bounty$25,000 - $1,000,000
Severity
Critical$13,300
High$2,000
Medium$1,000
Low$350
'%3e%3cpath%20d='M3%2021H24V24H0V0H3V21ZM6.75%2019.5C6.44587%2019.5006%206.14477%2019.4396%205.8649%2019.3205C5.58502%2019.2015%205.33219%2019.027%205.12167%2018.8075C4.91115%2018.588%204.74731%2018.3281%204.64006%2018.0435C4.5328%2017.7589%204.48436%2017.4555%204.49766%2017.1517C4.51095%2016.8478%204.58571%2016.5498%204.71741%2016.2757C4.84911%2016.0015%205.03502%2015.7569%205.2639%2015.5567C5.49279%2015.3564%205.7599%2015.2046%206.0491%2015.1105C6.3383%2015.0164%206.64358%2014.9818%206.9465%2015.009L9.3645%2010.9785C9.1434%2010.639%209.0181%2010.246%209.00182%209.84115C8.98554%209.43629%209.07888%209.03455%209.272%208.67835C9.46512%208.32215%209.75084%208.02471%2010.099%207.81743C10.4472%207.61016%2010.8448%207.50074%2011.25%207.50074C11.6552%207.50074%2012.0528%207.61016%2012.401%207.81743C12.7492%208.02471%2013.0349%208.32215%2013.228%208.67835C13.4211%209.03455%2013.5145%209.43629%2013.4982%209.84115C13.4819%2010.246%2013.3566%2010.639%2013.1355%2010.9785L15.5535%2015.009C15.6682%2014.9987%2015.7836%2014.9977%2015.8985%2015.006L19.8915%208.019C19.6046%207.59868%2019.4686%207.0935%2019.5058%206.58594C19.543%206.07837%2019.7511%205.59841%2020.0963%205.22442C20.4415%204.85043%2020.9032%204.60449%2021.4062%204.52678C21.9091%204.44906%2022.4236%204.54415%2022.8655%204.79653C23.3075%205.0489%2023.6508%205.44364%2023.8395%205.91631C24.0281%206.38897%2024.051%206.91163%2023.9043%207.39896C23.7576%207.88628%2023.45%208.30948%2023.0317%208.59945C22.6135%208.88942%2022.1093%209.02903%2021.6015%208.9955L17.6085%2015.9825C17.8379%2016.319%2017.9717%2016.7114%2017.9956%2017.118C18.0195%2017.5245%2017.9326%2017.9299%2017.7442%2018.291C17.5558%2018.652%2017.2729%2018.9552%2016.9258%2019.1681C16.5786%2019.381%2016.1802%2019.4957%2015.7729%2019.4999C15.3657%2019.5041%2014.965%2019.3978%2014.6134%2019.1922C14.2619%2018.9865%2013.9728%2018.6893%2013.7769%2018.3323C13.581%2017.9753%2013.4857%2017.5717%2013.5011%2017.1648C13.5165%2016.7578%2013.6421%2016.3627%2013.8645%2016.0215L11.4465%2011.991C11.3158%2012.0031%2011.1842%2012.0031%2011.0535%2011.991L8.6355%2016.0215C8.85679%2016.3611%208.98226%2016.7541%208.99864%2017.159C9.01503%2017.564%208.92172%2017.9659%208.72858%2018.3222C8.53544%2018.6785%208.24963%2018.9761%207.90137%2019.1834C7.5531%2019.3907%207.1553%2019.5001%206.75%2019.5Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2777_6507'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Stats Scope Review26191
Submissions24
Total rewards$0
Types
Hackers (11) View all
Piyush Shukla
Mohd Ali
Francisco Vargas Videla
Muktar Sadiq
Chetan Shailendra Wani
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time3d
Reward Time3d
Resolution Time14d