Greenhood is a protocol that enables regulated security token investments through a membership-based system. Users subscribe to obtain membership, which grants them a soulbound NFT and security token rewards. After becoming members, users can purchase additional security tokens. The system leverages T-REX (Token for Regulated EXchanges) infrastructure for regulatory compliance and implements role-based access controls for secure operation.
Greenhood engaged Ackee Blockchain Security to perform a security review of Greenhood Contracts with a total time donation of 3 engineering days in a period between August 4 and August 8, 2025.
A second, fix review was performed on the fixes from the previous revision.
METHODOLOGY
We began our review using static analysis tools, including Wake. We then took a deep dive into the logic of the contracts. For testing and fuzzing, we have involved Wake testing framework. During the review, we paid special attention to:
- ensuring the arithmetic of the system is correct;
- detecting possible reentrancies in the code;
- ensuring access controls are not too relaxed or too strict; and
- looking for common issues such as data validation.
SCOPE
The audit was performed on commit b12392f in the contracts repository and the scope was the following:
src/GreenhoodMembership.sol; andsrc/GreenhoodInvestor.sol
Revision 1.1 was performed between August 13 and August 14, 2025 on commit 9fd11a2 and focused on the fixes from the initial audit.
FINDINGS
The classification of a security finding is determined by two ratings: impact and likelihood. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as medium severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the Warning or Informational severity ratings.
Our review resulted in 5 findings, ranging from Warning to High severity. The changes made between revisions 1.0 and 1.1 significantly strengthened the protocol’s trust model by implementing permissionless governance mechanisms and enhanced user protections, resulting in the fixes of all 5 findings. The findings are detailed in the full audit report linked below.
Critical severity
No critical severity issues were found.
High severity
H1: Missing whenNotPaused modifiers in subscription functions
Medium severity
M1: Parameter front-running possible due to instant changes of rates, fees and rewards
M2: Unlimited subscriptionFee
Low severity
No low severity issues were found.
Warning severity
W1: Missing zero address and zero amount validation checks
W2: One-step ownership transfer
Informational severity
No informational severity issues were found.
TRUST MODEL
The protocol has strengthened its security model through enhanced controls and user protections:
Administrative controls:
- the owner role operates through a timelock contract, ensuring transparency for all parameter changes;
- subscription fees cannot exceed a fixed maximum value; and
- parameter changes require a waiting period before taking effect.
User protections:
- subscription functions accept minimum reward parameters to prevent front-running;
- purchase functions include slippage protection through minimum token parameters; and
- all critical parameter changes are visible on-chain before execution.
These improvements maintain protocol flexibility while providing robust safeguards against parameter manipulation.
CONCLUSION
Ackee Blockchain Security recommended Greenhood to:
- implement timelocks or limits for critical parameter changes (exchange rates, subscription fees, reward amounts) to enhance user trust;
- add slippage protection in token purchase functions to prevent frontrunning;
- add zero address and zero amount validation checks in all relevant functions;
- review and enhance the pause mechanism implementation; and
- address all identified issues.
Ackee Blockchain Security’s full Greenhood Contracts audit report can be found here.
We were delighted to audit Greenhood and look forward to working with them again.
