Tradable

Introduction

Tradable is a non-custodial perpetual exchange that lets users trade low-cap tokens and blue-chips from any blockchain without manual bridging. A unified liquidity layer (> $35 B stablecoins) and shareable trading “rooms” aim to create a social, creator-friendly derivatives venue.

Why Did They Need an Audit?

Tradable’s core contracts—margin vaults, staking, multi-chain settings, and LayerZero message adapters—coordinate cross-chain collateral, liquidations, and reward flows. Faulty accounting or messaging would jeopardize user funds and fragment liquidity across side-vaults. Tradable hired Three Sigma for a 2-person-week deep dive ahead of its testnet → mainnet transition.

Scope of the Engagement

Results and Findings

Key Critical Issues

Broken rewards accounting in TradableStaking

• Description: previousRewardPerToken was left un-initialised for new stakes. First-time claimers therefore received all accumulated rewards, corrupting the global pool.
• Recommendation / Status: Initialise the field on deposit (or embed it in Stake struct) and add unit tests. The team acknowledged and plans a full rewrite before re-audit.

Shares mis-accounted in TradableStaking

• Description: Inside _stake() a typo stores shares: uint64(shares)—the global share count—in the new Stake instead of userShares. The event StakeValidated emits the same wrong value.
• Recommendation: Replace the argument with uint64(userShares) both in the struct and event, then regression-test multi-user stake / unstake flows.

In conclusion

Three Sigma’s 2-week review uncovered four critical flaws in Tradable’s staking, margin, and cross-chain messaging flows, plus a high-risk side-vault bug and several medium logic gaps. Because fixes touch core accounting and LayerZero payload formats, we recommend a follow-up audit after patches and expanded test coverage. Once addressed, Tradable will possess a sturdier foundation for its multi-chain perpetuals vision.