Introduction
Trestle Protocol connects Celestia’s modular data-availability layer to Ethereum, introducing Wrapped TIA (wTIA) and a permissionless bridge for friction-less liquidity, trading, and application development between the two ecosystems.
Why Did They Need an Audit?
The launch version of Trestle custodies Celestia TIA on Ethereum, mints/burns wTIA, and levies swap-based taxes routed through an on-chain distributor. Failures in access control, slippage safeguards, or reward accounting could lead to unrecoverable asset loss, MEV-driven value extraction, or protocol insolvency. Trestle hired Three Sigma for an intensive review ahead of its public deployment.
Scope of the Engagement
- Files Audited:
Trestle.sol
, wTIA.sol
- Timeline: 7 Feb 2024 – 9 Feb 2024
- Team: 2 auditors · 3 calendar days
- Chain: Ethereum
Audit Date: 2024-01-02
Language: Solidity
Type: Code Audit
Results and Findings
Key High-Severity Issue
Permissionless distribute()
enables zero-slippage sandwiching
- Description: Anyone could call
distribute()
with amountOutMinimum = 0
, forcing a swap at any price and extracting value via MEV. - Resolution: The team disabled tax-based swaps and will gate future reward distributions behind a keeper role.
Notable Medium-Severity Issues
1 - Stuck tokens due to unsafe transfer()
- Description:
reclaimToken()
used raw transfer
, which fails on non-standard ERC-20s and could permanently lock funds. - Recommendation: Use
SafeERC20.safeTransfer()
for all token movements. - Status: Acknowledged; fix planned for v1.1.
2 - Swaps lacked explicit deadline parameter
- Description: Using
block.timestamp
inside the same tx leaves validators a full block to reorder trades up to the minimum-out threshold. - Recommendation: Require a user-supplied
deadline
in addition to amountOutMinimum
. - Status: Addressed by removing swap-tax path.
3 - Taxed sells vulnerable to MEV
- Description: Sells during tax mode set
minimumAmountOut = 0
, exposing users to toxic slippage. - Recommendation: Either disable taxes (chosen) or enforce a non-zero slippage guard.
In conclusion
Three Sigma’s rapid review uncovered no critical bugs but highlighted one high-risk MEV path and a cluster of medium-severity logic flaws tied to tax-based swaps and reward accounting. By removing tax mechanics and tightening swap parameters, Trestle significantly reduced its attack surface. Remaining low-level items are slated for the next code push, and the team plans a public bug-bounty before enabling cross-chain mint/burn on main-net.