three sigma logo
NFTperp

Code Audit

NFTperp

A decentralized platform for trading perpetual contracts on NFTs and digital assets.

Audit Report

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

NFTPerp is a decentralized platform for trading NFT-based perpetual futures, enabling speculation on the price movements of collections such as Milady and Pudgy Penguins. Built entirely in Solidity and deployed on Arbitrum, the protocol introduces a DeFi-native experience for NFT traders, integrating margin trading, automated market makers (AMMs), and sophisticated position management.

Why Did They Need a Follow-Up Audit?

After completing a comprehensive 8 person-week audit, NFTPerp underwent several iterations and improvements, particularly around the AMMRouter, liquidity provisioning, and margin logic. These new changes warranted a focused follow-up engagement to ensure robustness and security in light of the updated implementation. The client engaged Three Sigma for an additional 2 person-week review.

Scope of the Engagement

  • File Audited: src/ folder
  • Auditors: 2 security researchers (2 person-weeks)
  • Platform: Arbitrum

Audit Date: 2024-02-02

Language: Solidity

Type: Code Audit

Results and Findings

Notable Medium-Severity Issues

1. Notional mismatch may cause revert in removeLiquidity()

  • Description: In AmmRouter:removeLiquidity(), subtracting short notional from long notional may revert if short notional exceeds long, due to incorrect directional logic.
  • Recommendation: Use absolute difference between notionals to avoid invalid subtractions.

2. Rounding allows infinite minting of shares with 0 liquidity

  • Description: Due to rounding behavior, users can mint shares with negligible liquidity contributions. This could be abused in a loop to inflate shares and impact pool state.
  • Recommendation: Enforce a minimum notional value when adding liquidity.

3. Price deviation bypassable via trade splitting

  • Description: Attackers can manipulate price deviation protection by splitting orders across multiple transactions within the same block.
  • Recommendation: Track and store price from the previous block for deviation validation.

Severity Issues

critical
high

0

informational

9

medium

3

low

3

Audit Period

2 PW

Report

In conclusion

This short-cycle review focused on validating recent architectural changes introduced in NFTPerp’s liquidity and routing layers. Three Sigma identified 3 medium-severity issues—all promptly addressed by the development team—and several low and informational findings, mostly related to gas optimizations and consistency checks.

The system continues to demonstrate thoughtful modularity, with clearly defined responsibilities across contracts. While no critical vulnerabilities were found, developers are encouraged to extend coverage into fuzz testing and maintain ongoing scrutiny over rounding, snapshot integrity, and AMM pool state transitions in future updates.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today
Follow us on