Tetu platform can't pause contracts for withdrawing users' funds.

However, we can pause deposits or emergency withdraw funds into strategy from an external project.

By the nature of the emergency, these actions don't have any time-locks and can be done by governance multi-sig wallet immediately.

Vaults with paused deposits will be shown in the "Deactivated" section of the website UI. You freely withdraw your funds at any time

Tetu has a central governance contract - Controller under control of MultiSig Wallet with public signers.

However, for reducing EOA effect we implement different levels of access to our contracts.

Level 1 - Strict access

We have 48h time lock for any actions on this layer.

Protection logic implemented in a special contract - Announcer

Announcer contains scheduling for time-locked operations.

For each function announce call twice forbidden.

Function types under time-lock control:

• Any contract address changes in Controller

• Any ratio changes (currently Profit Sharing and Fund ratios)

• Any token movements from contracts to MultiSig Wallet

• TETU mint operation

• Proxy contract upgrades

• Strategy change for a vault

The only controller has access to this type of function and can call it only after the time-lock period.

Level 2 - Governance actions

On this layer, we will not use time-lock for the reason of not critical functionality or urgent actions.

Controller or Governance can call it immediately:

Bookkeeper

• Remove vaults or strategies from the registered lists

Controller

• Add/remove Reward Distributor addresses

• Add/remove HardWorker addresses

• Add/remove from Whitelist

• Register Vault/Strategy

FeeRewardForwarder

• Set conversation path for rewards

Strategy

• Emergency exit from external project and pause investing

• Continue investing

• Move money from strategy to vault

• Invest money from strategy to external project

MintHelper

Only MintHelper has access to our TETU token contract and this address is unchangeable.

• Setup Dev Funds addresses and ratios for next mints

SmartVault

• Change activity status

  Deactivated vault can't do HardWork and accept Deposits. Withdraw allowed.

• Call DoHardWork

• Add/Remove reward tokens

• Rebalance vault (withdraw all from strategy to vault and invest again)

• Withdraw all from strategy to Vault

LiquidityBalancer

• Move tokens from LiquidityBalancer to Controller contract

• Set target Price/TVL

• Set Router

• Set Targets' Update ratios

NotifyHelper

• Disperse weekly emission

• Move tokens from NotifyHelper to Controller

PayrollClerk

• Add worker or change the worker wallet address

• Change any worker settings except worked hours

• Pay salary

• Set Price Calculator address

• Move tokens from PayrollClerk to Controller

PriceCalculator

• Change any settings

Level 3 - HardWorkers and Reward distributors actions

Any actions allowed for HardWorker/Distributor also allowed for Controller and Governance

Allowed:

• DoHardWork for HardWorker

• Call LiquidityBalancer for HardWorker

• Disperse rewards for vaults for Reward Distributor

Tetu has 3/5 multi-sig wallets.

Polygon: 0xcc16d636dD05b52FF1D8B9CE09B09BC62b11412B

Ethereum: 0x4bE13bf2B983C31414b358C634bbb61230c332A7

BSC: https://bscscan.com/address/0xf00fD5282538F1C81df9F8388023FFDB3565c0D4

Signers

Vsevolod Grigorovich aka belbix

CoFounder and main smart contract developer.

Timur Mullayanov aka Timuricio

Art Director and CG designer.

GodInMaking

Tetu biz dev.

0xkila

Core team member of Retro and Stabl labs

dvpublic

Core solidity developer

Certik

Certik performed the audit of Tetu's new products, TetuSwap and Pawnshop. With this audit, Tetu continues to reinforce its commitment to prioritizing safety.

Tetu is eligible for all Certik recommendations and 62% of the 13 findings have been resolved.

Although all 3 major findings show the status of Unresolved in the audit report, all major findings are protected by a 48h time lock and the weakness of single point of failure is avoided through a multi signature wallet. You can access the Certik audit:

PeckShield

Tetu was audited by PeckShield, Tetu's second audit, and no high risk issues were found. All issues were addressed by the team. PeckShield's conclusion was as follows:

"In this audit, we have analyzed the Tetu protocol design and implementation. Tetu is a decentralized yield aggregator that allows users to deposit into a decentralized liquidity platform and earn rewards in return. During the audit, we notice that the current code base is well organized and those identified issues are promptly confirmed and fixed. Meanwhile, we need to emphasize that smart contracts as a whole are still in an early, but exciting stage of development." You can access the PeckShield audit:

Tetu's new product, Tetu v2, was also audited by PeckShield and found to be secure. According to the auditor:

"Based on Tetu, the audited Tetu v2 introduces some new features, which enables protocol users to participate in governance with veTETU, improves the TetuVault with new deposit/withdraw fees, and introduces new SplitterV2 with auto-rebalance logic adopted to multiple farming strategies, etc. During the audit, we notice that the current code base is well organized and those identified issues are promptly confirmed and fixed. Meanwhile, we need to emphasize that smart contracts as a whole are still in an early, but exciting stage of development."

DefiYield

Tetu was audited by DeFiYield. Most of critical issues were solved and DeFiYield's conclusion was as follows: "The audited contracts are the main part of the Tetu.io ecosystem. Contracts are well written and commented with good readability. The Tetu team did a lot of work to remove all previously found vulnerabilities, including critical centralization issues. Timelock with announcement logic was provided for every critical contract change. It’s important to point out that the Controller contract still features certain centralization degree: the functions mintAndDistribute() and controllerTokenMove() enable the contract owner to have control over the protocol’s token distribution, but with the timelock delay. We are confident that any token distribution should be fully decentralized. However, there are no critical issues left, and users have an ability to monitor all announcements related to the token transfers. No suspicious functions were revealed during the auditing."

You can access the DefiYield audit:

Tetu's development team makes every effort to ensure that smart contracts are safe and work as expected.

Tests

We are using Hardhat framework with typescript configuration.

Test framework - Mocha.

All test code has strict typification with typechain that dramatically reduces possible mistakes.

Over 200 tests for the base functionality and over 600 tests for strategy implementations.

Static analyzers

All code checked with solhint and slither

Test environment on Rinkeby

Fully functional code are deployed on Rinkeby test net.

Every business logic was tested on deployed contract with additional tests.

Audit

Tetu is audited by DeFiYield and PeckShield.

Central governance with GnosisSafe

Tetu team doesn't have access to users' funds.

All critical contracts that keep users' funds have 48 hours Timelock.

Any actions that can change critical contracts state under the control of MultiSig wallet 3/4.

Contract monitoring

Strict checking external platforms contracts

Each strategy development includes not only implementing base functionality but analyze the farmable platform and the fetching of all critical metrics.

Possible attack vectors and defense

Flash loan and Arbitrage

Currently, Tetu's smart contracts are not eligible for this kind of attack.

Our vaults have whitelist protection for deposit operations.

This makes the likelihood of any type of attack involving asset manipulation impossible.

Re-Entrancy

Currently, Tetu's smart contracts are not eligible for this kind of attack.

In case we use untrusted external calls, OpenZappelin best practive protection will be implemented.

Arithmetic Over/Under Flows

All math operations use OpenZappelin library SafeMath.

Functions visibilities

All critical functions checked with unit testing for unavailability for use on non-governance addresses.

Race conditions / Front running

User's assets are not eligible for this kind of attack in our contracts.

However, reward selling, theoretically, can be target of front running from sandwich bots.

And wrap our calls to other contracts for improve the protection of smart contracts' actions against front running.

Denial Of Service (DOS)

Currently, we are not eligible for this kind of attack.

We don't use any loops with external changeable arrays.

External calls have no way to provide DoS for our contracts.

Any new integrations will be checked for this kind of behavior.

Any ownership changes in our contracts have unit tests and can't lose control unexpectedly.

Our contracts are under the control of MultiSig wallet and any operations will be double-checked with Tetu team.

Floating Points and Numerical Precision

Any calculations triple-checked with different numbers and have 100% test coverage

Timestamp Dependence

We do not have any calculations that are possible to get additional money with logic based on block timestamp.

Other Possible Contract Weakness

Other possible attack vectors are too rare, out of date, or obviously covered with unit tests and static analyzers.

Time Locks are a smart contract feature that states that some actions will only be performed after a certain period of time rather than immediately.

There are critical actions that can be used for the good development of the protocol, but the same functions can be performed by malicious individuals with the intention of harming users. Time Lock protects the user from malicious actions and individuals providing time to user protects their funds in case they identify suspicious activities.

All critical contracts in TETU have a 48 hour timelock to provide greater security to users. Very instructive articles on how to check Time Lock Schedule and perform Emergency Withdraw can be read in .

Proxy contracts with 48 time-lock

Tetu has two types of proxy contracts:

• TetuProxyControlled - upgrade can be done only after announcing in Announcer and 48h time-lock period expired

• TetuProxyGov - proxy contracts without time-lock, governance can upgrade it at any time. We are using for the most noncritical contracts (contracts with view functions and governance infrastructure)

List of time-locked proxy contracts:

• Announcer

• Bookkeeper

• Controller

• FeeRewardForwarder

• FundKeeper

• VaultController

• MintHelper

• All SmartVault instances

• TetuSwapFactory

Proxy without time-lock

• AutoRewarder (reward distribution processing under full control of governance)

• RewardCalculator (only view functions)

• PayrollClerk (governance infrastructure)

• ContractReader (only view functions)

• PawnshopReader (only view functions)

• PriceCalculator (only view functions)

Immutable contracts

• All strategies

• TETU token

• LiquidityBalancer

• NotifyHelper

• MultiSwap

• ZapContract

• TetuPawnshop

• TetuSwapPair

• TetuSwapRouter

• Mutlicall

• ContractUtils

Tetu has a Bug Bounty Program by Immunefi that aims to increase the security of the protocol's smart contracts by offering rewards in TETU to white hat hackers and users who identify weaknesses and demonstrate them with a PoC.

Check the scope and rules of on Immunefi.

Timelock announces

Checking the time lock schedule can be very useful as critical actions are protected by time lock. Time locks are a tool created to increase user security and reduce the likelihood that their funds will be affected by malicious people before they have a chance to withdraw funds from the protocol. To provide even greater security to users, Tetu has a 48-hour timelock on all critical contracts. In the you can learn how to check the Time Lock announce and its schedule.

Emergency Withdraw

At some point it may be in the user's interest to carry out an emergency withdraw to make sure the funds are safe as quickly as possible, this is done on-chain and there is no need to interact with the Tetu platform to perform this action. You can learn how to perform emergency withdraw in the .