three sigma logo
Trestle Finance

Code Audit

Trestle Finance

A decentralized finance protocol for liquidity management and yield optimization.

Audit Report

Severity Issues

critical
high

1

informational

Several

medium

7

low

5

Audit Period

3 Days

Report

Introduction

Trestle Protocol connects Celestia’s modular data-availability layer to Ethereum, introducing Wrapped TIA (wTIA) and a permissionless bridge for friction-less liquidity, trading, and application development between the two ecosystems.

Why Did They Need an Audit?

The launch version of Trestle custodies Celestia TIA on Ethereum, mints/burns wTIA, and levies swap-based taxes routed through an on-chain distributor. Failures in access control, slippage safeguards, or reward accounting could lead to unrecoverable asset loss, MEV-driven value extraction, or protocol insolvency. Trestle hired Three Sigma for an intensive review ahead of its public deployment.

Scope of the Engagement

  • Files Audited: Trestle.sol , wTIA.sol
  • Timeline: 7 Feb 2024 – 9 Feb 2024
  • Team: 2 auditors · 3 calendar days
  • Chain: Ethereum

Audit Date: 2024-01-02

Language: Solidity

Type: Code Audit

Results and Findings

Key High-Severity Issue

Permissionless distribute() enables zero-slippage sandwiching

  • Description: Anyone could call distribute() with amountOutMinimum = 0, forcing a swap at any price and extracting value via MEV.
  • Resolution: The team disabled tax-based swaps and will gate future reward distributions behind a keeper role.

Notable Medium-Severity Issues

1 - Stuck tokens due to unsafe transfer()

  • Description: reclaimToken() used raw transfer, which fails on non-standard ERC-20s and could permanently lock funds.
  • Recommendation: Use SafeERC20.safeTransfer() for all token movements.
  • Status: Acknowledged; fix planned for v1.1.

2 - Swaps lacked explicit deadline parameter

  • Description: Using block.timestamp inside the same tx leaves validators a full block to reorder trades up to the minimum-out threshold.
  • Recommendation: Require a user-supplied deadline in addition to amountOutMinimum.
  • Status: Addressed by removing swap-tax path.

3 - Taxed sells vulnerable to MEV

  • Description: Sells during tax mode set minimumAmountOut = 0, exposing users to toxic slippage.
  • Recommendation: Either disable taxes (chosen) or enforce a non-zero slippage guard.

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

In conclusion

Three Sigma’s rapid review uncovered no critical bugs but highlighted one high-risk MEV path and a cluster of medium-severity logic flaws tied to tax-based swaps and reward accounting. By removing tax mechanics and tightening swap parameters, Trestle significantly reduced its attack surface. Remaining low-level items are slated for the next code push, and the team plans a public bug-bounty before enabling cross-chain mint/burn on main-net.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today
Follow us on