[ARFC] Onboard tETH to Aave v3 Prime Instance

Author: ACI ( Aave Chan Initiative)

Date: 2025-04-21

ARFC has been updated 2025-05-05 with latest Risk Parameters provided by Risk Service Providers.

Summary

This proposal aims to onboard tETH to Aave V3 Prime Instance, after successful [TEMP CHECK] Onboard tETH to Aave v3 Prime Instance and ****TEMP CHECK Snapshot.

Motivation

Assets like tETH are designed to unify fragmented interest rate markets and optimize yield generation. Users contribute ETH and receive tETH, redeemable for their initial ETH plus additional yield. This yield comes from a dynamic strategy that balances staking rewards and interest rate arbitrage on lending protocols. For tETH, this ensures baseline yields equivalent to native ETH staking while capturing additional returns from rate inefficiencies. These assets are composable across DeFi, enabling broader usability.

By onboarding tETH to Aave V3 Prime Instance, we can:

• Enhance capital efficiency: Users can borrow against tETH, unlocking liquidity while continuing to earn restaking rewards.
• Increase protocol revenue: More borrowing activity leads to higher interest income for Aave.
• Expand Aave’s influence in restaking finance: Positioning Aave as a central lending hub for LRTs.

Specification

Risk Parameters have been updated by Risk Service Providers and ARFC has been updated accordingly. 2025-05-05

E-Mode

tETH/WETH CAPO

Useful links

Disclaimer

This proposal is directly powered by ACI (Aave Chan Initiative). ACI did not received compensation for creation of this proposal.

Next Steps

1. Collect community & service providers feedback before escalating proposal to ARFC snapshot stage.
2. If the ARFC snapshot outcome is YAE, publish an AIP vote for final confirmation and enforcement of the proposal.

Copyright

Copyright and related rights waived via CC0.

tETH (Ethereum) technical analysis

Summary

This is a technical analysis of all the smart contracts of the asset and its main dependencies.

Disclosure: This is not an exhaustive security review of the asset like the ones done by the Treehouse Team, but an analysis from an Aave technical service provider on different aspects we consider critical to review before a new type of listing. Consequently, like with any security review, this is not an absolute statement that the asset is flawless, only that, in our opinion, we don’t see significant problems with its integration with Aave, apart from different trust points.

Analysis

tETH is a liquid staking token that accrues interest from ETH staking and ETH leveraging staking strategies in DeFi protocols like Aave and Lido, and it will be adding other lending markets. Users deposit ETH or LSTs (currently wstETH) and receive the tETH token. They can redeem the tETH for wstETH after 7 days or immediately by paying a fee.

teth-analysis-11952×519 30.7 KB

For the context of this analysis, our focus has been on the following aspects, critical for the correct and secure integration with Aave:

• Mechanism to update the exchange rate of the asset for the underlying ETH.
• A recommendation of pricing strategy to be used in the integration of the asset <> Aave.
• Any miscellaneous aspect of the code we can consider important.
• Analysis of the access control (ownerships, admin roles) and the nature of the entities involved in the system. Regarding the table permissions’ holders and their criticality/risk, it is done following these guidelines:

Risk	Description
	The role is controlled via a mechanism we consider safe, such as on-chain governance, a timelock contract, or setups involving multi-sigs under certain circumstances.
	The role is controlled in a way that could expose the system and users to some risk, depending on the actions it can control.
	The role is controlled via a clearly non-secure method, representing risks for the system and users.

General points

• A layered system where most contracts are non-upgradeable and use well-known dependencies and libraries from OZ.
• The tETH contract itself is an upgradable contract by a Safe 5-of-7.
• The system access control relies mostly on a Safe 5-of-7.
  
  

Contracts

The following is a non-exhaustive overview of the main smart contracts involved with tETH.

teth-contracts-12566×1686 311 KB

tETH

The so-called tETH is an ERC4626 token a user receives after depositing ETH and LSTs via the router contract. This contract holds the Internal Accounting Unit (IAU) token, which is used for virtual accounting, and only whitelisted contracts can interact by minting/redeeming it. It is a UUPS upgradeable contract by a Safe 5-of-7.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	upgradeAndCall	CRITICAL
owner: Safe 5-of-7	transferOwnership, updateBlacklister	HIGH
not assigned	blacklist, unBlacklist	HIGH
TreehouseRouter, TreehouseAccounting, TreehouseRedemptionV2, TreehouseFastlane	deposit, mint, withdraw, redeem	HIGH

• Access Control
  • The contract relies on the OZ Ownable2Step contract and has its owner set to a Safe 5-of-7.
  • The owner can set a blacklister address via the updateBlackLister(address) function.
  • The blacklister (not assigned) can ban addresses by adding to the blacklist via the blacklist(address) function, which disables transfers for and from those addresses. The blacklister can also remove from the blacklist via the unBlacklist(address) function.
  • Addresses allowed to mint and burn tETH are fetched from the IAU contract via the IAU.isMinter(address) function.
• Minting and redeeming
  • Allowed contracts can deposit the underlying asset of tETH (IAU Token) via the deposit(amount, to) function. An alternative is the mint(amount, to) function.
  • Allowed contract can redeem tETH via the redeem(amount, to, from) function. An alternative is the withdraw(amount, to, from) function.
• Exchange Rate
  • As an ERC4626, tETH uses the internal convertToAssets(shares) function to calculate the current tETH exchange rate.
    
    

InternalAccountingUnit

The IAU contract is an ERC20 token that represents the underlying asset of the tETH ERC4626 and is used for virtual accounting. Only whitelisted minters can interact with this token. It is a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7, Timelock: (not assigned)	transferOwnership, addMinter, removeMinter, setTimelock	HIGH
TreehouseRouter, TreehouseAccounting, TreehouseRedemptionV2, TreehouseFastlane	burn, burnFrom, mintTo,	HIGH

• Access Control
  • The contract uses the OZ Ownable2Step contract and has overridden the internal _checkOwner() function to include a Timelock. Currently, the owner is set to a Safe 5-of-7, and the Timelock is not assigned.
  • The owner/timelock can add or remove minters via addMinter(address) and removeMinter(address) functions, respectively.
  • The owner/timelock can set the Timelock via the setTimelock(address) function.
  • Only minters can interact with this token via the mintTo(to, amount), burn(amount), burnFrom(from, amount) functions. The contract also checks whether the receiver address of the IAU token is a minter, ensuring that only minters can hold IAU.
    
    

TreehouseRouter

The Router contract is the main entrance for users to mint tETH by depositing ETH and listed LSTs. It interacts directly with the IAU token and tETH ERC4626 by minting IAU to the tETH contract and minting tETH to users. It’s a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	transferOwnership, setDepositCap, setPause, updateRescuer	HIGH
not assigned	rescueETH, rescueERC20	HIGH

• Access Control
  • The contract uses the OZ Ownable contract and is set to a Safe 5-of-7.
  • The owner can set the cap in ETH by calling the setDepositCap(amount) function. Currently, the ETH cap is set to 100000 ETH.
  • The owner can set the rescuer address by calling the updateRescuer(address) function.
  • The owner can pause/unpause deposits via the setPause(bool) function.
  • The rescuer can rescue ERC20 tokens and ETH in this contract via the rescueERC20(token, to, amount) and rescueETH(to) functions, respectively.
• Minting
  • Users can deposit ETH via the depositETH(msg.value) function. Internally, the router converts ETH into wsETH and sends the fresh wsETH to the Vault contract. Then, it calls an internal _mintAndStake(amount, to) function that mints IAU tokens and deposits them in the tETH contract. It finishes sending the tETH to the user and validating that the deposit cap wasn’t exceeded.
  • It is also possible to directly deposit wstETH via the deposit(asset, amount) function, which behaves the same way as the depositETH; however, it skips the conversion to wstETH.
    
    

RedemptionController

This contract manages redemptions from the different redemption contracts composed in the system. It interacts directly with the Vault contract by transferring the underlying asset (wstETH) when redemption contracts request redemption. It is a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	addRedemption, removeRedemption, setPauser, transferOwnership	HIGH
TreehouseRedemptionV2, TreehouseFastlane	redeem	HIGH
owner: Safe 5-of-7, pauser: not assigned	setPause	HIGH

• Access Control
  • The owner can add new redemption contracts or remove existing ones by calling the addRedemption(address) and removeRedemption(address) functions, respectively.
  • The owner can set the pauser address via the setPauser(address) function. Both the owner and the pauser can pause/unpause redemptions by calling the setPause(bool) function.
  • The redemption contracts can redeem wstETH by calling the redeem(amount,recipient) function, which transfers the amount from the Vault contract to the recipient address.
    
    

TreehouseRedemptionV2

The TreehouseRedemptionV2 contract allows users to redeem tETH for wstETH after a 7-day waiting period. It is a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	setMinRedeem, setWaitingPeriod, setRedemptionFee, transferOwnership	HIGH

• Access Control
  • The owner can set the minimum amount that can be redeemed instantly via the setMinRedeem(amount) function. Currently, it is set to 200 wstETH.
  • The owner can set the minimum waiting period via the setWaitingPeriod(secs) function. Currently, it is set to 7 days.
  • The owner can set the fee applied during the redemption by calling the setRedemptionFee(bps) function. Currently set to 0.05%.
• Redemption
  • Users initiate a redemption by calling the redeem(shares) function. The user is included in a redemption queue with the information regarding the amount of wsETH (calculated using the tETH.previewRedeem(shares) method) and the request’s start time.
  • After 7 days, users can finalize the redemption by calling the finalizeRedeem() function, which withdraws the wstETH from the Vault via the redemptionController.redeem(amount, user) function, transferring the wstETH to the user
    
    

TreehouseFastlane

The TreehouseFastlane contract enables users who want to redeem tETH instantly by paying a fee. It is a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	setMinRedeem, setFeeContract, transferOwnership	HIGH

• Access Control
  • The owner can set the minimum amount that can be redeemed instantly via the setMinRedeem(amount) function. Currently, it is set to 0.
  • The owner can set the fee contract that calculates and applies the fee for instant redemption via the setFeeContract. Currently, it is set to the FastlaneFee contract, and the fee set is 2%.
• Fast Redeem
  • Users can redeem tETH instantly by calling the redeemAndFinalize(amount) function. Internally, it verifies if the Vault contract has a sufficient amount to cover the redemption, and if so, it applies the 2% fee and calls the redemptionController.redeem(amount, user) function, transferring the wstETH to the user
    
    

PnlAccounting

The PnlAccounting contract is responsible for calculations that directly reflect the exchange rate of tETH. It calculates the profit and loss of assets locked in the Vault contract and deployed on the strategies contracts. Then, in a cooldown interval, it sends the amount to be minted or burned, plus fees, to the TreehouseAccounting contract via an executor, which updates the internal accounting (IAU token). It is a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	transferOwnership, setPauser, setCooldownSeconds, updateExecutor, setDeviation	HIGH
Safe 5-of-7, Safe 1-of-5	doAccounting	HIGH

• Access Control
  • The owner can set the executor address by calling the updateExecutor(address) function.
  • The owner can update the cooldown interval via the setCooldownSeconds(seconds) function.
  • The owner can set the deviation of the maximum PnL threshold per accounting window by calling the setDeviation(bps). Currently, the deviation is set to 0.025%.
  • The owner can pause/unpause the contract by calling the setPauser(bool) function.
• Exchange Rate update
  • The owner or the executor can initiate the internal accounting (reflecting the tETH exchange rate) by calling the doAccounting() function. Internally, it calls the NavLens helper contract to fetch the amount of IAU tokens held by the tETH Vault contract (lastNav) and the current amount of tokens in terms of wstETH held by the Vault contract, plus the amounts in use by strategies (currentNav). If the PnL is positive (currentNav > lastNav), the function then calls TreehouseAccounting.mark(type, amount, fee), indicating a mint request plus fees based on the difference between the current and last NAV values. Otherwise, it flags as a burn of IAU tokens.
  • It is important to mention that when calculating the lastNav (the current amount of tokens in terms of wstETH held by the Vault contract, plus the amounts in strategies), the NAVLens helper contract employs the token.balanceOf(vault) function. This approach could potentially expose the system to donation attacks. However, given the deviation variable in place, if the netPNL between the currentNav and lastNav is bigger than the lastNav * deviation, the exchange rate update reverts, acting as a safeguard from this kind of attack.
    
    

TreehouseAccounting

The TreehouseAccounting contract updates the internal accounting (IAU token) with the amounts plus fees calculated by the PnlAccounting contract. It is a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	transferOwnership, updateExecutor, updateTreasury, setFee	HIGH
Safe 5-of-7, PnlAccounting	mark	HIGH

• Access Control
  • The owner can set the executor address by calling the updateExecutor(address) function.
  • The owner can set the treasury address via the updateTreasury(address) function.
  • The owner can set the Fee in bps via the setFee(fee) function.
  • The owner or the executor (the PnlAccounting contract) can update the internal accounting (IAU token) by calling the mark(type, amount, fee) function, where type means to mint or burn IAU tokens. If it marks to mint, it mints the amount of IAU tokens, sends them to the tETH vault, and mints the fee value in tETH to the treasury. Otherwise, it just burns the amount of IAU tokens locked in the tETH vault.
    
    

Vault

The vault contract is responsible for holding assets from the system that were not deposited into the strategies. It is a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	setStrategyStorage, setRedemption, addAllowableAsset, removeAllowableAsset, transferOwnership, updateRescuer	HIGH
not assigned	rescueETH, rescueERC20	HIGH
tETH Strategy	withdraw	HIGH

• Access control
  • The owner can set the StrategyStorage contract via the setStrategyStorage(address) function.
  • The owner can set the Redemption contract via the setRedemption(address) function. Internally, this function also max approves the redemption contract, enabling it to pull the underlying asset (wsETH) from the Vault. Currently, it is set to the RedemptionController contract.
  • The owner can add and remove assets that can be withdrawn from the Vault via the addAllowableAsset(address) and removeAllowableAsset(address) functions, respectively.
  • Active strategies in the StrategyStorage Contract can withdraw allowed assets via the withdraw(asset, amount) function.
    
    

StrategyStorage

This contract stores the addresses of each strategy contract implemented in the system and the actions it can perform, such as supplying and borrowing assets from Aave (leverage wstETH strategy) and other lending markets soon. The actions are selectors that retrieve smart contracts stored in the ActionsRegistry contract, which contain the code necessary to execute. It also limits which assets each strategy can use during an action. It’s a non-upgradeable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	storeStrategy, whitelistActions, unwhitelistActions, whitelistAssets, unwhitelistAssets, pauseStrategy, unpauseStrategy, setStrategyExecutor	HIGH

• Access Control
  • The owner can add strategies via the storeStrategy(address, actions[], assets[]) function. It needs to specify which actions can be performed and for which assets.
  • The owner can add and remove actions for different strategies via the whitelistActions(id, actions[]) and unwhitelistActions(id, actions[]) functions, respectively.
  • The owner can add and remove assets for different strategies via the whitelistAssets(id, assets[]) and unwhitelistAssets(id, assets[]) functions, respectively.
  • The owner can pause/unpause strategies via the pauseStrategy(id) and unpauseStrategy(id) functions.
  • The owner can update the StrategyExecutor address by calling the setStrategyExecutor(address) function.
    
    

StrategyExecutor

teth-strategyexecutor-12616×887 175 KB

The StrategyExecutor contract is the starting point for executors to initiate actions on strategies, giving the strategy ID and the list of actions, calldata, and parameters necessary to perform them. It’s a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	updateExecutor	HIGH
-	executeOnStrategy⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀	HIGH

• Access control
  • The owner can add or remove executors of actions via the updateExecutor(address, bool) function.
  • Allowed executors can initiate actions on strategies via the executeOnStrategy(id, actions[], calldata[], paramsMapping[]) function, passing the strategy id, list of actions, their calldata, and param mappings.
• Executing Actions
  • After calling executeOnStrategy() the StrategyExecutor will validate in the StrategyStorage if strategy is active and if the actions passed are available for that strategy, if everything is correct, the executor calls strategy.callExecute() function which initiates the execution of the actions.
    
    

Strategy

The Strategy Contract is a general contract in which actions are performed via delegate call. It uses the storage and assets held by this contract. New strategies can be deployed and added or removed from the StrategyStorage contract. It’s a non-upgradeable contract.

Permission Owner	functions	Criticality	Risk
StrategyExecutor	callExecute⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀	HIGH

• Executing Actions
  • Only the StrategyExecutor contract initiates the actions on the Strategy contract via the callExecute(target, data) function. It passes as target the ActionsExecutor contract, which will perform delegate calls on each action contract via the actionExecutor.executeActions(actionsIds[], actionCalldata[], paramMapping[]) function.
    
    

ActionsExecutor

The ActionsExecutor is a stateless contract that performs via delegate call actions initiated on the Strategy contract. It’s a non-upgradable contract.

• Executing Actions
  • The Strategy contract initiates the execution of actions by calling the actionExecutor.executeActions(actionsIds[], actionCalldata[], paramMapping[]) function, which fetches each action address registered in the ActionsRegistry contract via the actionRegistry.getAddr(actionId), and then, via its internal delegateCallAndReturnBytes32(target, data), it performs a delegatecall (using the storage from the Strategy contract) by calling the action.executeAction(calldata) function.
    
    

ActionsRegistry

The ActionsRegistry contract stores all action addresses and capabilities for switching action addresses and rolling back to the previous one if necessary. It’s a non-upgradable contract.

Permission Owner	functions	Criticality	Risk
owner: Safe 5-of-7	addNewContract, revertToPreviousAddress, startContractChange, approveContractChange, cancelContractChange	HIGH

• Access Control
  • The owner can add new actions contracts via the addNewContract(id,address) function.
  • The owner can change a previous action contract via the startContractChange(id address) function. This function flags the action id as in change and sets the new contract as pending.
  • The owner can finalize the action contract change via the approveContractChange(id) function, which will remove the in-change flag for the id, set the final action address using the pending one, and keep the previous action address in the previousAddresses mapping if needed to roll back.
  • The owner can cancel the action contact change via the cancelContractChange(id), setting the pending address to address(0), and removing the in-change flag.
  • The owner can roll back to the previous action address via the revertToPreviousAddress(id) function. It will replace the current action id address with the address stored in the previousAddresses[id] mapping.
    
    

Pricing strategy

Our suggestion for pricing tETH is using a CAPO tETH/ETH adapter with the tETH Vault providing the exchange rate with a CL WETH/USD feed, which follows the procedure of pricing LSTs on Aave. We can confirm that the exchange rate provided by the tETH Vault is safeguarded against possible manipulations.

Miscellaneous

• The system has undergone security reviews by Trail of Bits, Sigma Prime, Fuzzland, Omniscia, and BlockSec. They can be found here. Also, there is an ongoing bug bounty program; more information can be found here.
• The system relies heavily on its owner (Safe wallet 5-of-7), which poses risks of centralization. If the signer’s wallet gets compromised or if malicious transactions are signed without their knowledge, various critical components of the system could be at risk. We recommend that the team implement a Timelock as the system’s owner, allowing sufficient time to validate any changes made within it.
• Treehouse intends to expand tETH with an underlying strategy using the Compound protocol for wstETH/WETH leverage.
  
  

Conclusion

Given the anticipated listing nature of the asset as collateral, we requested the Treehouse Team to timelock different parts of the system for security reasons, like upgradeability. The team has agreed to and will implement these requested changes, but it is a technical blocker.

We also don’t think it’s acceptable from a technical risk standpoint to have underlying strategies that rely on non-Aave lending protocols (e.g., aforementioned Compound), as this creates overly complex dependencies on systems that are not even aligned with Aave. However, community feedback on the topic is welcome.

Thank you, @bgdlabs, for this assessment. From the Lido contributors perspective, there is full alignment that timelock is desirable as a safety measure. Regardless of the outcome, it’s good to improve on security practices across the industry.

Multiple Aave deployments in theory give adequate diversification, growth, and arbitrage opportunities, so using only Aave-aligned venues appears to be minor impact on the strategies vs. what would be net positives out of reaching the alignment with contributor teams and communities.

I’d like to highlight that collaborating with Treehouse historically was easy and flawless. It is one of the rare projects these days that sticks to its word and honors the non-contractual agreements.

Looking forward to joint growth across Treehouse, Aave, and Lido products. Aave community can expect full Lido onchain contributor support during and after the integration.

After discussing with treehouse team, they will be fully Aave focused and aligned.

Therefore, this proposal has full ACI support.

Summary

LlamaRisk supports onboarding tETH to Aave V3 Prime. tETH is a liquid staking token backed by wstETH (Lido), utilizing leverage looping via Aave and ERC-4626 vault standards. Smart contracts have been externally audited and are covered by an active bug bounty program, though administrative control remains with a 5-of-7 multisig and currently lacks a timelock. Centralization risks persist, with dependency on Lido, Aave, and Chainlink oracles.

Liquidity for tETH is currently limited and concentrated in Treehouse-associated addresses but remains adequate for onboarding with conservative supply caps. Volatility-wise, tETH has closely tracked its underlying asset (wstETH) with minimal price deviation in normal market conditions. The protocol’s accounting logic and redemption mechanisms help maintain price alignment and guard against operational errors or manipulation. For on-chain pricing, the recommended source is the fundamental rate and CAPO adapter.

On the Legal front, Treehouse applies robust disclaimers and enforces jurisdictional restrictions. Based in Panama, where non-custodial staking remains unregulated, Treehouse operates outside mandatory regulatory frameworks.

Collateral Risk Assessment

1. Asset Fundamental Characteristics

1.1 Asset

tETH, issued by Treehouse Protocol, is a liquid ETH staking ERC20 token on Ethereum and Arbitrum designed to consolidate the fragmented on-chain interest rate market. tETH implements a leverage staking strategy by integrating Lido and Aave. tETH boosts ETH staking yields via leverage. Throughout the 1-year backtesting period (from June 9, 2023, to June 9, 2024), the tETH strategy has outperformed Lido staking by approximately 0.6%.

image1984×1022 184 KB

Source: The backtested daily return of the tETH strategy over 12 months, tAsset Whitepaper.

1.2 Architecture

When a user deposits ETH, WETH, stETH, or wstETH, the protocol issues an equal amount of tETH, representing the depositor’s pool share. Deposited ETH is staked through Lido, yielding wstETH, and the protocol enters a leverage loop on Aave:

1. Use wstETH as collateral.
2. Borrow ETH.
3. Stake the borrowed ETH through Lido.
4. Wrap the resulting stETH to wstETH and repeat.

The loop halts at a loan-to-value (LTV) target of 0.80. With Aave’s 94.5% liquidation threshold (eMode), the resulting health factor is about 1.18, sufficient to remain ≥ 1.0 if wstETH falls roughly 15.8%—the largest historical de-peg observed.

image1536×1227 94.7 KB

Source: Treehouse Docs – Yield Optimisation.

Yield consists of

• Ethereum staking rewards and
• The spread between the ETH borrowing rate on Aave and the staking rate.
  If borrowing costs rise above staking returns, the position can become unprofitable.

Withdrawal methods

• Swap – Immediate exchange via the tETH/wstETH Curve pool for amounts up to 200 wstETH (the Redemption Band).
• Normal Redemption – For amounts above 200 wstETH. tETH is burned, positions are unwound, and wstETH is claimable after roughly 7 days; a 0.05% fee applies.
• Fast Redemption – Instant withdrawal up to a protocol-defined cap; incurs a flat 2% fee.

image548×237 16 KB

Source: Treehouse App – Withdraw, 8 Apr 2025.

Multiple exit routes help limit forced selling pressure and reduce the likelihood of sharp price moves such as the -80 % ezETH event in 2024.

Peg-related mechanisms

1. Protocol-Owned Peg Protection (PPP)
   If tETH trades below its intrinsic value, the protocol uses the Insurance Fund to buy tETH in the Curve pool and redeem it. Arbitrage gains are allocated:
   • 25% – Insurance Fund
   • 25% – Curve pool liquidity
   • 25% – tETH holders
   • 25% – Treasury
2. Insurance Fund
   • Finances PPP operations.
   • Covers rebalancing shortfalls when borrowing costs exceed staking rewards (up to the staking rate).
   • May address other losses, subject to governance.
3. Underlying LST De-peg Plan
   If any collateral LST deviates by >2% from ETH for more than 24 h, the protocol:
   • Sells LST for ETH,
   • Repays Aave debt,
   • Withdraws remaining collateral, and
   • Allows users to withdraw in LST form.

Borrow-cost management

If Aave ETH utilization remains above 89% for two consecutive days, the protocol repays part of its debt by converting wstETH to ETH, aiming to reduce utilization and associated borrowing costs.

Decentralized Offered Rates (DOR)

Treehouse plans to publish on-chain benchmark rates (DOR). Future versions may allow tETH collateral to be restaked to support the rate-setting process and to earn additional rewards.

1.3 Tokenomics

tETH is denominated in wstETH, so tETH is a value-accumulating non-rebasing receipt token representing a user’s stake in the underlying assets in the tETH pool. That means a user’s balance of tETH will remain unchanged, and the value of tETH increases instead. The yield generated is credited to tETH holders once a day, and the yield distribution is reflected in the tETH:wstETH exchange rate.

The market cap of tETH to collateral value ratio is 1:1, as seen in the following images (Total collateral = tETH on Ethereum + Arbitrum):

image975×255 21.4 KB

Source: Vaults, Treehouse Finance, April 8th, 2025.

The total underlying ETH amount is 87,218 ETH, and the Vault Capacity is 100,000 ETH, which means 87.21% of the tETH vault that has been filled.

Treehouse Finance does not currently have a governance token.

1.3.1 Token Holder Concentration

image900×363 24.8 KB

Source: Top 100 tETH Holders on Ethereum, Etherscan, April 8, 2025.

Underlying assets behind tETH, 87,218 ETH, represent 0.072% of the total ETH supply.

The top 5 holders of tETH are:

• Pendle SY tETH Contract: 19.3% of the supply.
• 0xbe8dCE3e74B225180BC2e3D1290AB6997E810Df8: 12.2% of the supply.
• Ether.Fi Liquid ETH Contract: 11.6% of the supply.
• Compound cWstETHv3 Contract: 5.7% of the supply.
• 3/4 Safe Multisig: 4.9% of the supply.

The top 10 holders own 70.6% of the total supply. When considering the top 100 holders, this concentration increases to 98.0%.

2. Market Risk

2.1 Liquidity

image460×423 22.4 KB

Source: tETH Liquidity, LlamaSwap, April 8th, 2025.

There is a 7.07% slippage for selling 1650 tETH. Considering tETH’s market cap, tETH has poor DEX liquidity. If Aave liquidators need to sell tETH to cover bad debt, this could cause tETH price fluctuations on DEXs.

2.1.1 Liquidity Venue Concentration

image1015×375 51.1 KB

Source: tETH Liquidity Pools on Ethereum by Trading Volume, DEX Screener, April 8, 2025.

The total tETH liquidity across DEXs on the Ethereum network is approximately $9.2M, with most of it held in two Curve pools. These 2 Curve pools and a Balancer liquidity pool are the only liquidity venues with significant volume.

tETH Liquidity pools, ranked by TVL (as of April 8, 2025):

• Curve tETH/weETH: $4.4M
• Balancer tETH/wstETH: $2.8M
• Curve tETH/wstETH: $2.0M
  • tETH redemptions within the value of the Redemption Band are done through this pool.

2.1.2 DEX LP Concentration

LP concentration is very high, with Treehouse nearly providing all the liquidity. However, Treehouse does not have an incentive to pull the liquidity out. Here is the breakdown for the 3 liquidity pools (as of April 8, 2025):

• Curve tETH/weETH: 99.4% of the liquidity is held by 2 addresses.
  • 76.0% of the liquidity is held by 0xaD744e7B3ae782b2c6DD6c316332d60ac33D8Db2. Examining the transaction history, it is very likely that this contract belongs to Treehouse.
  • 23.4% of the liquidity is held by 0x5E4ACCa7a9989007cD74aE4ed1b096c000779DCC. This is a SimpleStakingERC20 contract that belongs to Treehouse.
• Curve tETH/wstETH: 99.9% of the liquidity is held by the same 2 addresses as the other Curve liquidity pool above.
  • 76.3% of the liquidity is held by 0x5E4ACCa7a9989007cD74aE4ed1b096c000779DCC.
  • 23.6% of the liquidity is held by 0xaD744e7B3ae782b2c6DD6c316332d60ac33D8Db2.
• Balancer tETH/wstETH: 93.5% of the liquidity is held by the same 0xaD744e7B3ae782b2c6DD6c316332d60ac33D8Db2 that likely belongs to Treehouse.

2.2 Volatility

Since launch, tETH has closely tracked wstETH—its underlying asset—exhibiting no material price dislocations. The protocol denominates all internal accounting in wstETH. Historical price behavior should align with this ratio, assuming the yield differential between tETH and wstETH has remained broadly constant. The Curve pool data below supports that expectation.

image2100×850 141 KB

Source: tETH/wstETH pool, Curve, 28 Mar 2025.

Across the observed period, deviations from the modeled ratio have stayed within ±1 %, indicating limited volatility relative to the underlying asset.

2.3 Exchanges

tETH is exclusively traded on DEXs and is not currently listed on any centralized exchange.

2.4 Growth

image2844×1194 148 KB

Source: tETH TVL regarding ETH on Ethereum and Arbitrum, Dune, March 28, 2025.

image1462×616 29.9 KB

Source: tETH Number of Holders on Ethereum, Dune, April 4, 2025.

The TVL (in terms of ETH) of tETH on Ethereum and Arbitrum and the number of tETH holders have been constantly increasing.

3. Technological Risk

3.1 Smart Contract Risk

Treehouse Finance has demonstrated a strong commitment to security by subjecting its smart contracts to multiple external audits. 3 recent audits have been done that relate to tETH:

• Trail of Bits (October, 2024): 2 medium severity vulnerabilities and 4 informational issues were found. 1 medium severity vulnerability and 3 informational issues were resolved.
• Sigma Prime (September, 2024): 1 low severity vulnerability and 3 informational issues were found. One low-severity vulnerability and 2 informational issues were resolved.
• Fuzzland (September, 2024): 6 low severity vulnerability and 4 informational issues were found. All resolved.

Omniscia and BlockSec audits are announced to be coming soon.

3.2 Bug Bounty Program

Treehouse Finance has a Bug Bounty program with Hackenproof. There are 2 programs, Treehouse Web and Treehouse Smart Contracts, with rewards up to $10,000 and $250,000 respectively, depending on the severity of the threat.

Treehouse Web program offers $2,500 - $10,000 for critical, $1,000 - $2,500 for high, $500 - $1,000 for medium, $100 - $500 for low severity vulnerabilities found. There have been 58 submissions for this program so far.

Treehouse Smart Contracts program offers $100,000 - $250,000 for critical, $25,000 - $50,000 for high, $5,000 - $10,000 for medium, $1,000 - $2,000 for low severity vulnerabilities found. There have been 63 submissions for this program so far.

There are no disclosed reports at the moment, so the results of the Bug Bounty Program are unknown.

3.3 Price Feed Risk

tETH is priced based on the protocol’s internal accounting of its underlying wstETH holdings, with the exchange rate updated by smart contract logic. To prevent donation attacks or sudden, unaccounted-for changes in net asset value (NAV), a “deviation” threshold limits how much the NAV can change in a single update—if the change exceeds this limit, the update is blocked. This mechanism protects users from manipulation or operational errors affecting tETH’s value.

3.4 Dependency Risk

tETH is presently collateralized by wstETH. A failure of Lido—or any additional LST protocol that Treehouse may add—would eliminate that collateral and, by extension, the intrinsic value of tETH. Because the protocol has no control over external LST operations, its main mitigation is diversification: Treehouse assesses other LSTs, applies risk-weight caps, and may hold several tokens to avoid total reliance on a single provider.

A sustained wstETH price decline relative to ETH raises the loan-to-value (LTV) of the leveraged position on Aave. A 16 % de-peg, for example, would push the strategy’s LTV to 96 %, exceeding Aave’s 95 % liquidation threshold and forcing collateral sales. The –80 % ezETH event in 2024 illustrates how sharply an LST can diverge. Treehouse’s automated De-pegging Contingency Plan unwinds positions and repays debt whenever a > 2 % de-peg persists for 24 hours.

The leverage loop relies on Aave. A failure of that lending protocol—due to contract exploits, insolvency, or regulatory action—would endanger the collateralized wstETH. Treehouse can reduce concentration by splitting leverage across several over-collateralized lenders, which increases operational complexity.

Aave’s positions depend on Chainlink price feeds. Incorrect or delayed oracle data can prompt liquidations, with losses estimated by (1 − LTV) + LTV × de-peg %, as described in the oracle-risk documentation. The specific feeds are the ETH/USD and wstETH/ETH oracles.

Transfers of tETH from Ethereum to Arbitrum use Chainlink’s CCIP. Any downtime, message-layer attack, or oracle manipulation affecting CCIP could delay or mis-route bridged funds, adding another dependency risk for users who rely on cross-chain liquidity.

4. Counterparty Risk

4.1 Governance and Regulatory Risk

Treehouse Finance does not have a DAO and does not have a governance token. The core team currently handles all operations. However, it is mentioned in the documentation that parameters will be subject to governance in the future, so the creation of a DAO structure is to be expected.

Treehouse’s corporate architecture is anchored in the Republic of Panama, with Gaia Labs Corp identified in the Terms of Service as the owner and operator of the website located at https://treehouse.finance/. These Terms govern every aspect of a user’s interaction with the website, the Treehouse Protocols, and any additional blockchains on which the protocols are deployed. Although the Treehouse Protocols are freely accessible as open-source software on GitHub, Gaia Labs Corp, and its affiliates retain the ability to maintain and modify the codebase.

According to the Terms, the protocol enables users to engage in specific activities, particularly deploying their own supported digital tokens through a pass-through mechanism that can direct those assets to external protocols such as Lido or Aave. Using Treehouse for that purpose, users acknowledge that each deployment is executed solely at their own initiative; no third party assumes custody of, exercises discretion over, or otherwise controls their tokens. The documentation further clarifies that Treehouse has no corporate affiliation with Lido, Aave, or their respective development teams and offers no assurances regarding the stability or security of those third-party platforms.

Access to Treehouse is barred for any “Excluded Person,” meaning an individual or entity that is a citizen of, resident in, domiciled in, or physically present within an “Excluded Jurisdiction.” The list of excluded territories presently encompasses the United States and its possessions, the People’s Republic of China, any jurisdiction designated by the Financial Action Task Force as “High-Risk or Other Monitored,” and any other locale where the use of Treehouse would be illegal or subject to licensing, permit, or approval requirements. Users are prohibited from using virtual private networks or similar tools to conceal their location.

From a regulatory standpoint, Treehouse operates where Panamanian law currently leaves largely unaddressed. Panama has yet to impose a supervisory regime on non-custodial staking services; by extension, DeFi activities that rely on non-custodial staking remain outside established oversight. Likewise, Panamanian statutes do not expressly regulate liquid-staking tokens, and the Superintendency of the Securities Market has indicated that, under existing securities legislation, it does not regard cryptocurrencies—or, by implication, LSTs—as securities.

4.2 Access Control Risk

4.2.1 Contract Modification Options

The tETH contract is an ERC1967 upgradeable proxy implemented via an ERC-4626-compliant upgradeable vault contract. The implementation address is 0xD1A622566F277AA76c3C47A30469432AAec95E38, and it inherits from ERC4626Upgradeable. The strategy execution is primarily automated. For example, looping continues programmatically until the safe LTV is reached. The Loan Repayment Strategy triggers automatically when ETH borrowing utilization exceeds 89% for 48 hours. Manual governance is only required for upgrades or parameter tuning, not day-to-day operations. It has critical modification options controlled by its admin, including:

The contract includes several privileged functions that allow administrative modifications, posing significant access control risks. The most critical modification capabilities are:

Changing Contract Ownership:
Functions: transferOwnership, acceptOwnership, renounceOwnership.
Impact: Transfers or permanently relinquishes ownership.

Upgrading Contract Logic:
Function: upgradeToAndCall.
Impact: Enables upgrades to the contract’s implementation (via UUPS proxy pattern); this allows changes to the core logic, tokenomics, or security.

Blacklisting/Unblacklisting Addresses:
Functions: blacklist, unBlacklist.
Impact: Restricts or permits specific addresses from interacting with the contract.

Modifying Blacklister Role:
Function: updateBlacklister.
Impact: Changes the address authorized to execute blacklist/unblacklist actions, altering access control parameters.

Minting New Tokens:
Function: mint.
Impact: Increases token supply. This enables inflationary exploits.

Altering Administrative Privileges:
Functions: Ownership-related functions (transferOwnership, renounceOwnership) and role updates (updateBlacklister).
Impact: Shifts critical permissions to new addresses, risking centralized control.

Since there is no timelock or governance process, these modification options bring a centralization risk.

4.2.2 Timelock Duration and Function

The tETH contract and the owner do not appear to have timelock functionality.

4.2.3 Multisig Threshold / Signer identity

The owner of tETH contract is a 5/7 Safe multisig.

The signers are:

• 0x4D8aC8527849018E1fe60Bafce26D635fDB570a9
• 0xaBA92efa92a7a8F10bDf3d608838D368c7860F5b
• 0x52fD0D1C58Ea9f0F4336583E29b403c96143d1D0
• 0x9F24fDD290c4A32a7Eef0CD0C4365fA326420Da7
• 0xD795504963F418B35bFB108e5cA87e8cC97Ee067
• 0x21B57aC972D4DF5f452a1E36EBAB68d96b2aC692
• 0xfE801FEbd1c0A13652d6325f789b9a50fC90e617]

Note: This assessment follows the LLR-Aave Framework, a comprehensive methodology for asset onboarding and parameterization in Aave V3. This framework is continuously updated and available here.

Aave V3 Specific Parameters

Will be presented jointly with @ChaosLabs

Price feed Recommendation

We recommend using the [tETH/wstETH Exchange Rate] (https://etherscan.io/address/0x7B2Fb2c667af80Bccc0B2556378352dFDE2be914) (fundamental rate) in conjunction with wstETH/USD and CAPO.

Disclaimer

This review was independently prepared by LlamaRisk, a community-led decentralized organization funded in part by the Aave DAO. LlamaRisk is not directly affiliated with the protocol(s) reviewed in this assessment and did not receive any compensation from the protocol(s) or their affiliated entities for this work.

The information provided should not be construed as legal, financial, tax, or professional advice.

Overview

Chaos Labs supports listing tETH on Aave’s Prime instance. Below is our analysis and initial risk parameter recommendations.

Treehouse Protocol Overview

Treehouse Protocol aims to become decentralized fixed income infrastructure designed to unify fragmented interest rates across the digital asset landscape. At its core, it introduces two foundational primitives: Treehouse Assets (tAssets) and Decentralized Offered Rates (DOR). These components aim to establish standardized benchmark rates in crypto, similar to how traditional finance relies on treasury yield curves or interbank lending rates like SOFR and LIBOR.

The Treehouse Protocol addresses a fundamental issue in DeFi today: on-chain interest rate fragmentation. Without a unified reference rate, the same asset—such as ETH—can exhibit drastically different lending or borrowing rates across protocols like Aave, Spark, or Compound.

tAssets, like tETH, are expected to play a critical role in addressing this by aligning interest rates with Ethereum’s staking yield, which Treehouse positions as a proxy for ETH’s “risk-free” rate. Meanwhile, DOR serves as a decentralized consensus mechanism for setting benchmark rates across various timeframes and risk levels, providing the infrastructure necessary for advanced financial instruments such as interest rate swaps, floating rate notes, and more.

Together, these tools aim to democratize access to fixed income arbitrage strategies, reduce inefficiencies in the interest rate pricing of the same debt asset across different markets, and lay the groundwork for a mature on-chain debt capital market.

tETH Technical Architecture

tETH is a yield-bearing LST and the first implementation of a tAsset, designed to unify Ethereum’s fragmented interest rate landscape through an automated leveraged staking strategy.

It aims to systematically capture the spread between ETH borrowing rates and Ethereum staking yields, effectively approximating Ethereum’s “risk-free rate” while delivering yields that exceed those of native LSTs like wstETH.

Strategy Mechanics

Technically, tETH achieves this by leveraging recursive staking strategies across lending protocols like Aave and Spark. Here’s a simplified breakdown of the process:

1. Borrow ETH at a lower rate on platforms like Aave or Spark.
2. Stake the borrowed ETH into wstETH via Lido to earn staking yield.
3. Deposit the LST back into Aave or Spark to gain leverage.
4. Repeat steps 1–3 until the position reaches a target LTV ratio.
5. Continuously monitor and adjust the positions to ensure the staking yield consistently exceeds the borrowing cost, maintaining a positive carry

This rehypothecation loop continues until the marginal arbitrage opportunity is eliminated or risk parameters are met. In doing so, tETH leverages the recursive difference between borrowing costs and staking yield to extract additional return.

This strategy resembles a fixed income arbitrage play: borrow cheap (ETH lending rates), lend high (staking yields), and pocket the spread. As more capital engages in this arbitrage play—whether via tETH, other protocols like Fluid Lite, or through individual users manually deploying similar strategies—the system naturally pushes borrowing rates upward and staking yields downward, thereby closing the arbitrage window and aligning rates across the ecosystem.

Screenshot 2025-04-30 at 10.31.41 (1)1284×754 44.7 KB

tETH Leveraged Staking Strategy Visualized

Sources of Yield for tETH Holders

The yield generated by tETH combines staking rewards from LSTs with additional returns from interest rate arbitrage.

• Base Yield (LST Rewards): tETH is backed by wstETH, which generate Ethereum staking rewards.
• Market Efficiency Yield (MEY): The yield generated from the spread between staking rewards on wstETH and borrowing rates of ETH in lending protocols.

Deployed Strategies

The Treehouse Protocol manages capital across four active strategy contracts, each deployed to interact with specific lending protocols. These contracts are registered in the StrategyStorage contract, where addresses can be queried using the getStrategyAddress(id) function. The StrategyStorage contract also tracks the actions each strategy can perform (e.g., supply, borrow) and the token types it interacts with, such as ETH and wstETH.

So far, the protocol has integrated with Aave (Core & Prime), Spark, and Gearbox, with each strategy designed to either deploy leveraged positions or supply capital passively.

TVL Allocation Across Strategies

The distribution of TVL across these four strategies reflects a balanced risk posture and diversified protocol exposure:

• 41.2% of the TVL is currently held as idle wstETH within strategy contracts and has not been actively deployed into any lending protocol. This passive allocation provides flexibility for future reallocation and buffers for redemptions or deleveraging events.
• 21.6% of the TVL is allocated to leveraged wstETH/ETH positions, deployed via Aave Core and Spark. These strategies are actively used to capture the spread between staking yields and borrowing costs.
• The remaining 37.2% of the TVL is deployed as supply-only positions, with deposits made to Aave Prime and Gearbox. These positions are not leveraged and are used for base lending yields and to farm additional protocol incentives.

strategy_allocation (1)3180×1796 271 KB

Mint

Users can mint tETH by depositing ETH, WETH, stETH, or wstETH. The protocol’s Router contract handles each asset type accordingly—for example, if a user deposits ETH, it is first staked via Lido to receive stETH, then wrapped into wstETH. Alternatively, users can deposit wstETH directly to bypass these conversion steps. Once all deposits are standardized into wstETH, tETH is minted and sent to the user’s wallet based on the current tETH:wstETH exchange rate.

After minting, the newly deposited wstETH is sent to the Vault contract. Depending on prevailing market conditions and profitability, the wstETH may either be deployed as collateral in one of the whitelisted lending protocols to borrow more ETH (which is then restaked and looped) or held unlevered in the vault. The entire minting process is atomic and incurs no fees.

Redemption

tETH holders can redeem their tokens through one of three pathways, depending on the size and urgency of their redemption.

1. Normal Redemption (7-Day Delay, 5bps Fee)

For redemptions above the 200 tETH, users can submit a normal redemption request directly through the Treehouse dApp. In this case:

• tETH is sent to the Redemption contract upon request.
• Underlying assets are gradually unwound and repaid across lending strategies.
• The process includes unwrapping wstETH, unstaking stETH, and repaying ETH loans, which may take up to 7 days depending on the constraints of the underlying LST protocol (i.e, Lido).
• Once the process is complete, the user can claim their corresponding wstETH based on the minimum observed exchange rates during the redemption window, while the redeemed tETH is sent to the burn contract.
• A 0.05% (5bps) redemption fee is applied to offset costs incurred by the protocol.

2. Fast Redemption (Instant, 2% Fee)

For users who require immediate access to their assets, Fast Redemption is available. However, it is limited to Vault liquidity at the time. This option allows users to redeem tETH for wstETH instantly, drawn directly from the Vault’s holdings (currently up to 2,325 wstETH). A flat 2% fee is applied to fast redemptions, which is directed to the Treehouse Treasury to ensure long-term liquidity support.

3. Liquidity Pool (Instant, 0% Protocol Fee, Subject to Slippage and DEX Fees)

Users can instantly swap their tETH for wstETH via the tETH/wstETH Curve Liquidity Pool. This on-chain swap is seamless and incurs no protocol-imposed fees, though it is still subject to DEX trading fees and slippage, which may vary based on trade size and pool liquidity.

This Curve pool is supported by Treehouse’s Protocol-Owned Pegged Protection (PPP) mechanism. When tETH trades below its intrinsic value, the protocol steps in to buy tETH from the open market and redeem it, helping restore parity while capturing profit.

In addition to the PPP-backed Curve pool, users may also choose to swap tETH to wstETH via other liquidity pools on Curve and Balancer, depending on availability and pricing at the time of redemption.

Risk Overview and Mitigation Measures

The tETH system introduces multiple layers of complexity through its leveraged staking architecture and integration with external DeFi protocols. Below, we outline key risks and the mechanisms employed to mitigate them:

1. tETH Depeg Risk

Description: A deviation in the tETH market price from its intrinsic value (backing in wstETH) could impact user confidence.

Impact: Depending on the oracle design, this may lead to liquidation risks in lending platforms and systemic volatility in protocols that accept tETH as collateral.

Mitigations:

• Protocol-Owned Peg Protection (PPP): When tETH trades below its NAV, the Treehouse Insurance Fund programmatically purchases tETH from the open market and redeems it to capture arbitrage profit and help restore the peg. The size and address of the Treehouse Insurance Fund have not been publicly disclosed.
• Emergency Liquidity Retention: A portion of capital remains unlevered in the Vault, enabling rapid redemption without needing to unwind all strategy positions.
• Oracle Design: By pricing the asset through a combination of the exchange rate and the Chainlink ETH/USD feed, the oracle shields the system from short-term market price fluctuations.

2. wstETH Depeg Risk

Description: While a depeg between wstETH and ETH would reduce collateral value and trigger liquidations across leveraged positions, all of the whitelisted lending protocols that are being utilized for wstETH yield strategies, price wstETH based on the staking exchange rate and ETH/USD feed, shielding the system from short-term market price deviations.
However, Treehouse employs an automated de-pegging contingency plan that activates if the wstETH/ETH market price deviates by more than 2% for a period exceeding 24 hours. The protocol continuously monitors the ETH-to-LST ratio on a per-block basis to distinguish between sustained depeg events and short-lived price anomalies. If the threshold is breached, the system initiates an automatic unwind of leveraged positions. This involves swapping LST holdings back to ETH via on-chain liquidity pools, using the recovered ETH to repay outstanding loans on lending platforms. Once debts are cleared, any remaining LST collateral is withdrawn from the lending protocols.

However, while Treehouse does not specify whether the wstETH internal exchange rate or the market price gets taken into consideration for the triggering of the unwinding, this process could lead the wstETH to be swapped to WETH during a temporary price deviation, realizing avoidable temporary losses.

Impact: This could lead to a negative price change to the tETH/wstETH exchange rate, impacting tETH price and causing liquidations.

Mitigation:

• Reduced Exposure to Leverage: Only 20% of the total tETH backing is currently being utilized within lending strategies, reducing the expected loss during an untimely unwind.

3. Donation Attack

Description: Malicious users could inflate the Vault’s perceived holdings by sending extra tokens, manipulating the accounting used for exchange rate updates.

Impact: Incorrect minting or burning of tETH, leading to unfair dilution or value transfer among holders.

Mitigation:

• Exchange Rate Update Guardrails: The doAccounting() function computes NAV deltas between lastNav and currentNav using actual balances and strategy-held tokens. If the positive PnL exceeds a pre-set deviation threshold, the update reverts, neutralizing the effect of donations on exchange rate manipulation.
• Correlated Assets Price Oracle: Through the use of a Capped Oracle feed for tETH on Aave, we can minimize the risk induced by exchange rate manipulation.

4. ETH Borrowing Rate > Staking Yield

Description: If borrowing costs on lending protocols exceed staking yields, the strategy could operate at a negative carry, reducing returns or even triggering losses.

Impact: Sustained yield erosion, net losses for tETH holders, and possible deleveraging spirals during volatile periods.

Mitigation:

• Dynamic Deleveraging: The protocol continuously tracks borrow rates. If profitability thresholds are breached, strategies deleverage to minimize exposure and preserve net yield.
• Short-Term Loss Coverage: The protocol claims that short-term losses arising from negative carry (i.e., borrowing rates exceeding staking yields) may be covered by the Treehouse Insurance Fund. However, the size and address of this fund have not been publicly disclosed.

5. Lending Protocol Default Risk

Description: A default, insolvency, or smart contract exploit within integrated protocols could cause capital losses.

Impact: Partial or total loss of funds allocated to affected protocols, and net losses for tETH holders, depending on the severity of the exploit and the extent of collateral recovery. Additionally, lending protocols that accept tETH as collateral may incur bad debt if collateral values fall rapidly or cannot be recovered.

Mitigation:

• Protocol Diversification: Funds are spread across multiple lending protocols to reduce exposure to any single point of failure. Additionally, with Spark being a whitelisted Aave fork, Gearbox remains the sole Lending market from tETH backing, which doesn’t use battle-tested Aave code.

6. LST Platform Risk (Lido / wstETH)

Description: Lido, as the underlying LST provider, could face validator slashing.

Impact: Reduction in asset backing tETH, leading to potential losses or redemptions below expected NAV.

Mitigation:

• Exposure Analysis: Post-Pectra, slashing penalties are significantly reduced and correlation penalties are better modeled. Refer to Chaos Labs’ separate analysis on Lido validator risk. The impact is assessed to be minimal for node operator originated slashing events.

Market Capitalization

tETH is an Ethereum mainnet-native token, launched in September 2024, and has since demonstrated steady growth in total supply and adoption. As of the latest data, tETH has reached a new all-time high supply of 75,726.8 tETH, backed by 91,128.23 ETH, representing a TVL of approximately $164 million.

While tETH is also available on Arbitrum, cross-chain adoption remains limited at this stage, with only 1,378.7 tETH (1.8% of total supply) bridged to the network.

While the total supply of tETH is still relatively modest, it has shown consistent growth over time.

total_supply (1)2140×1450 182 KB

Liquidity

As of now, tETH maintains approximately $12.3 million in on-chain liquidity across four pools—two on Curve and two on Balancer. Of this, roughly $5.5 million is on the buy-side, representing the depth available for tETH holders looking to exit into stablecoins or ETH with minimal slippage.

Given current market conditions and pool composition, it’s possible to trade up to 1,800 tETH (≈$3.8 million) into wsETH with less than 2% price impact via decentralized exchanges.

liquidity_breakdown (1)2140×1450 247 KB

In addition to pool liquidity, the tETH Vault contract facilitates Fast Redemption, allowing users to redeem tETH directly for wstETH at a flat 2% fee. Since mid-March, the Vault has consistently held between $5–6 million in wstETH, with current holdings near $5 million (2,341 wstETH), available for immediate redemptions.

liquidity_in_vault (1)2140×1450 206 KB

Combined, the liquidity pools and Vault provide approximately $8.8 million in effective liquidity for tETH holders to exit their positions within a ~2% impact range. Relative to tETH’s current $164 million TVL, this represents a solid base of accessible, low-slippage liquidity for the asset across on-chain venues.

Oracle/Pricing

The tETH smart contract maintains an internal exchange rate that reflects the supply of tETH relative to its backing in wstETH. This exchange rate is updated based on the total supply of tETH and the total assets under management in the Vault and deployed strategies.

For integration, Chaos Labs recommends creating a new CAPO adaptor for the tETH/WETH exchange rate to ensure secure and accurate pricing of tETH in USD terms. Specifically, we suggest the following oracle composition:

• Initially, the tETH/wstETH exchange rate is retrieved from the tETH contract.
• Then, the wstETH/stETH exchange rate is retrieved from the stETH contract.
• A tETH/WETH CAPO adapter is applied to the aggregate exchange rate implementation and associated yield structure stemming from both tETH/wstETH and wstETH/stETH, thereby allowing for more optimal buffer parameterization of the maxYearlyRatioGrowthPercent as opposed to a dual tETH/wstETH CAPO and wstETH/stETH adapter.
• Finally, the existing ETH/USD feed, which provides a reliable WETH/USD price feed, will be used.

LT, LTV, and Liquidity Bonus

To maintain the Prime instance’s intended purpose and limit the number of asset pairs, we recommend setting conservative LTV and LT parameters for tETH outside of E-Mode. Hence we recommend an LT of 0.10%, an LTV of 0.05%, and a Liquidation Bonus of 7.5%. This configuration aligns with the parameters adopted for other assets in the same instance. Additionally, we recommend listing this asset as non-borrowable.

Supply Cap

To ensure a controlled onboarding of tETH to the Aave protocol, we recommend setting the Supply Cap at 20,000 tETH. This configuration reflects a cautious approach to risk management while still allowing meaningful participation from users looking to supply tETH as collateral.

E-Mode

We propose creating an isolated Liquid E-Mode for tETH and wstETH. In this configuration, tETH would be enabled only as collateral, and wstETH only as borrowable to prevent unintended utilization. In order to allow for a profitable use of the Fast Redemption buffer in the tETH contracts during liquidations, we recommend increasing the Liquidation Bonus of the E-Mode to 2%.

Given the increased liquidation buffer, we similarly recommend slightly more conservative LT and LTV parameters than the ETH-Correlated E-Mode.

CAPO

tETH inherits the base staking yield of wstETH and enhances it through interest rate arbitrage strategies deployed across lending protocols. This results in a dynamic APY that reflects both Ethereum staking rewards and the spread captured from leveraging wstETH in lending markets.

Given the variable nature of ETH borrowing demand, the net APY of tETH relative to wstETH (MEY) can fluctuate. These fluctuations are primarily driven by utilization spikes in lending protocols, which may temporarily compress or amplify the interest rate spread. That said, historical data shows that these variations remain within a confined and reasonably predictable range, with no prolonged periods of extreme divergence.

To ensure a stable and manipulation-resistant price feed for the tETH/wETH CAPO adaptor, we propose a maxYearlyRatioGrowthPercent of 12.04%, capturing expected yield from arbitrage coupled with the underlying wstETH/stETH staking yield, and a MINIMUM_SNAPSHOT_DELAY of 14 days to filter out short-term volatility.

capo (1)2140×1419 300 KB

Specification

E-Mode

tETH/WETH CAPO

Disclaimer

Chaos Labs has not been compensated by any third party for publishing this recommendation.

Copyright

Copyright and related rights waived via CC0

The current proposal has been escalated to ARFC Snapshot.

Vote will start tomorrow, we encourage everyone to participate.

Thank you everyone for your participation.

After Snapshot monitoring, the current ARFC Snapshot ended recently, reaching out both Quorum and YAE as winning option, with 623.5K votes.

Therefore [ARFC] Onboard tETH to Aave v3 Prime Instance has PASSED.

Next step will be the publication of an AIP for final confirmation and enforcement of the proposal.