Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.
leNFT combines an lssvm-style AMM for NFT trading with a peer-to-pool lending market that lets collectors borrow against their NFTs. A Curve-inspired gauge system further directs LE token emissions toward trading- and lending-pool LPs that lock veLE, aligning project incentives.
Why Did They Need an Audit?
leNFT’s contracts custody user NFTs, fungible tokens, and protocol emissions while running complex flows—AMM swaps, oracle-priced loans, liquidations, vesting, bribes, and gauge accounting. A logic error in fee distribution, oracle math, or upgrade authority could freeze pools or leak collateral. Ahead of main-net launch, leNFT hired Three Sigma for a rapid 6-person-week deep dive.
Scope of the Engagement
Audit Date: 2023-06-10
Language: Solidity
Type: Code Audit
Results and Findings
Key Critical Issue — Rewards Checkpoints Break After First Claim (3S-LENFT-C01)
Description:FeeDistributor.checkpoint() assumes the contract’s token balance never decreases. When a user claimed rewards, _accountedFees stayed unchanged, so the next checkpoint underflowed and reverted—permanently blocking future fee accrual, AMM trades, and lending liquidations that call checkpoint().
Resolution:_accountedFees[token] is now decremented by the claim amount before transfer (leNFT@3a3a6bf).
Notable High-Severity Issue
Gateway grief blocks ETH borrows (3S-LENFT-H01)
Description: Any address could send 1 wei to WETHGateway; subsequent borrows checked weth.balanceOf(this) == amount and reverted forever.
Resolution: The brittle assert() was removed; borrow flow now tolerates dust balances
Severity Issues
critical
high
2
informational
Several
medium
2
low
5
Audit Period
6 PW
Report
Audit Period
6 PW
Severity Issues
critical
high
2
medium
2
low
5
informational
Several
Report
In conclusion
Three Sigma’s 6-week review of leNFT’s AMM, lending, gauge, and auxiliary contracts uncovered a single critical flaw in fee accounting, a gateway-level griefing vector, and several medium logic bugs plus gas optimizations. All identified issues—from re-entrancy patterns to oracle rounding—have been patched or merged. With hardened checkpoints, safer gateway flows, and packed storage structs, leNFT is poised for a more secure main-net debut while maintaining upgrade flexibility through its AddressProvider registry.
Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.
