NFTperp

Introduction

NFTPerp is an open-source DeFi platform enabling users to speculate on the price movements of NFT collections such as Milady and Pudgy Penguins through perpetual futures contracts settled in ETH. The protocol brings deep derivatives infrastructure to the NFT ecosystem, offering leverage, funding rates, and AMM-driven pricing.

Why Did They Need an Audit?

NFTPerp's architecture manages user margin accounts, orchestrates liquidations, and integrates custom AMMs, exposing it to high-risk scenarios including fund mismanagement, order mismatches, and liquidation inconsistencies. Ahead of a major launch on Arbitrum, the NFTPerp team engaged Three Sigma for a full-stack audit covering core trading, margin, and settlement logic to minimize potential vulnerabilities and edge-case behaviors.

Scope of the Engagement

• File Audited: src/ folder
• Auditors: 2 security researchers (8 person-weeks)
• Platform: Arbitrum

Results and Findings

Key Critical Issue

ReduceOnly limit order update does not handle AMM changes – fund loss possible

• Description: In _updateLimitOrder(), switching between AMMs while a reduceOnly order remains active can leave the order linked in an outdated AMM. This desynchronization can cause funds to be lost if the user later closes their position, and the newly created reduce-only order is mistakenly removed.
• Recommendation: Properly handle reduceOnly order linkage across AMMs on updates.

Key High-Severity Issue

Realized PnL not returned to trader after merging liquidation positions

• Description: On _mergeDecrease(), realized PnL from liquidated positions was not added back to marginToRemove(), resulting in lower-than-expected withdrawals and reduced liquidation yields.
• Recommendation: Add += params.rpnl to include the realized PnL in margin computations.

Notable Medium-Severity Issues

1. Revert triggered when AMM liquidity returns low price in _search()

• Description: _getPriceToTick() reverts if the price drops below 1e10, which may occur when _search() incorrectly assumes full order fulfillment on AMM even if liquidity is insufficient.
• Recommendation: Cap minimum return to 1e10 to prevent division-by-zero reverts.

2. Front-running setFundingPeriod() can cause denial-of-service

• Description: setFundingPeriod() calls settleFunding(), which can be front-run, causing the config transaction to revert repeatedly.
• Recommendation: Move to time-proportional funding settlement or avoid immediate funding calls in config updates.

In conclusion

Three Sigma conducted a rigorous 8-week audit of NFTPerp’s derivatives trading infrastructure. We identified one critical and one high-severity vulnerability, both of which have been addressed. Additionally, we surfaced two medium-severity bugs and several low-level and informational concerns.

Overall, NFTPerp shows a solid design in its modular position and order management system, though several edge cases around AMM behavior, liquidity assumptions, and event emission required attention. We recommend maintaining strong testing coverage, especially in areas dealing with order linkage and funding flows, and to continue monitoring for potential governance and front-running vectors post-deployment.