three sigma logo
Ostium Labs

Code Audit

Ostium Labs

A leveraged trading platform using Ethereum Layer 2 for settlement.

Audit Report

Blockchain security isn't optional.

Protect your smart contracts and DeFi protocols with Three Sigma, a trusted security partner in blockchain audits, smart contract vulnerability assessments, and Web3 security.

Get a Quote Today

Introduction

Ostium is a decentralized perpetuals exchange purpose-engineered for Real World Assets (RWAs). Leveraging a stablecoin-settled engine, proprietary oracle feeds, and a dynamic fee structure, it enables fully onchain, synthetic trading of traditional commodities like crude oil, soybeans, and natural gas.

Why Did They Need an Audit?

Following its initial deployment, Ostium introduced several post-launch upgrades affecting collateral management, PnL calculation, and risk enforcement logic. These changes—particularly around leverage control and rounding behavior—posed critical security implications. Ostium engaged Three Sigma for a 1.2-person-week focused review of these diffs to ensure safe patch rollout and continuity of onchain trading.

Scope of the Engagement

image

Audit Date: 2024-12-25

Language: Solidity

Type: Code Audit

Results and Findings

Key High-Severity Issue

Leverage abuse via multiple removeCollateral() calls

  • Description: OstiumTrading allowed users to call removeCollateral() multiple times without validation, and the handleRemoveCollateral() function failed to enforce leverage caps post-removal. This enabled users to strip nearly all collateral while maintaining full exposure, achieving effectively risk-free trades.
  • Resolution: Added checks for pending removals and ensured resulting leverage does not exceed the protocol maximum during fulfillment.

Notable Medium-Severity Issue

Rounding enables dust trades below minimum leverage

  • Description: When closing a trade with closePercentage ≈ 100%, integer rounding led to a remainingCollateral = 0, bypassing the minimum leverage check. This allowed users to leave behind dust positions violating system constraints. While small in value, over time these positions could accumulate and strain platform invariants.
  • Resolution: Revised the condition to only skip leverage checks if the closePercentage == 100% exactly.

Notable Low-Severity Observation

Max profit cap bypass due to leverage increase

  • Description: The currentPercentProfit() function capped profits to maxPnlP = 900 (10x). However, with leverage now adjustable upwards post-trade, users could exceed this cap, breaking previously enforced economic assumptions.
  • Resolution: Final profit is now clamped after applying new leverage to ensure PnL remains within protocol-defined bounds.

Severity Issues

critical
high

1

informational

0

medium

1

low

1

Audit Period

1.2 PW

Report

In conclusion

Three Sigma conducted a 1.2-person-week diff-focused audit of Ostium’s 2,010 nSLOC upgrade, identifying one high-severity leverage bypass, one medium-severity dust position flaw, and a low-level PnL cap bypass. All issues were swiftly addressed prior to deployment. These changes reinforce Ostium’s commitment to maintaining strict economic safety guarantees, even as protocol logic evolves in production.

Secure Your Crypto Project Before It’s Too Late. Get in Touch Today.

Get a Quote Today