Greenhood is a protocol that enables regulated security token investments through a membership-based system. Users subscribe to obtain membership, which grants them a soulbound NFT and security token rewards. After becoming members, users can purchase additional security tokens. The system leverages T-REX (Token for Regulated EXchanges) infrastructure for regulatory compliance and implements role-based access controls for secure operation.<\/p>\n
Greenhood engaged Ackee Blockchain Security to perform a security review of Greenhood Contracts with a total time donation of 3 engineering days in a period between August 4 and August 8, 2025.<\/p>\n
A second, fix review was performed on the fixes from the previous revision.<\/p>\n
We began our review using static analysis tools, including Wake<\/a>. We then took a deep dive into the logic of the contracts. For testing and fuzzing, we have involved Wake<\/a> testing framework. During the review, we paid special attention to:<\/p>\n The audit was performed on commit Revision 1.1 was performed between August 13 and August 14, 2025 on commit The classification of a security finding is determined by two ratings: <\/span>impact<\/b> and <\/span>likelihood<\/b>. This two-dimensional classification helps clarify the severity of individual issues. Issues which would be rated as <\/span>medium<\/span><\/i> severity, but which would be likely discovered only by the team, are typically decreased by the likelihood factor to the W<\/em><\/span>arning<\/span><\/i> or I<\/em><\/span>nformational<\/span><\/i> severity ratings.<\/span><\/p>\n Our review resulted in 5 findings<\/strong>, ranging from Warning to High severity. The changes made between revisions 1.0 and 1.1 significantly strengthened the protocol\u2019s trust model by implementing permissionless governance mechanisms and enhanced user protections, resulting in the fixes of all 5 findings. The findings are detailed in the full audit report linked below.<\/p>\n No critical severity issues were found.<\/p>\n H1: Missing M1: Parameter front-running possible due to instant changes of rates, fees and rewards<\/p>\n M2: Unlimited No low severity issues were found.<\/p>\n W1: Missing zero address and zero amount validation checks<\/p>\n W2: One-step ownership transfer<\/p>\n No informational severity issues were found.<\/p>\n The protocol has strengthened its security model through enhanced controls and user protections:<\/p>\n Administrative controls:<\/p>\n User protections:<\/p>\n These improvements maintain protocol flexibility while providing robust safeguards against parameter manipulation.<\/p>\n\n
SCOPE<\/span><\/h2>\n
b12392f<\/code> in the contracts repository and the scope was the following:<\/p>\n\n
src\/GreenhoodMembership.sol<\/code>; and<\/li>\nsrc\/GreenhoodInvestor.sol<\/code><\/li>\n<\/ul>\n9fd11a2<\/code> and focused on the fixes from the initial audit.<\/p>\nFINDINGS<\/span><\/h2>\n
Critical severity<\/span><\/h3>\n
High severity<\/span><\/h3>\n
whenNotPaused<\/code> modifiers in subscription functions<\/p>\nMedium severity<\/span><\/h3>\n
subscriptionFee<\/code><\/p>\nLow severity<\/span><\/h3>\n
Warning severity<\/span><\/h3>\n
Informational severity<\/span><\/h3>\n
TRUST MODEL<\/span><\/h2>\n
\n
\n
CONCLUSION<\/span><\/h2>\n