Please note: Softstack does not proactively contact individuals for recruitment or job interviews. Please contact us via our website.
We are building secure and innovative Web3 solutions with expert consulting, development, and cybersecurity.
We supporting diverse blockchain ecosystems and programming languages to deliver tailored, cutting-edge Web3 solutions.
How Softstack helped an RWA Platform Reach Zero Open Findings
Client
Trusset
Project
Tokenized Aset Infrastructure
Industry
RWA / Blockchain
Service
Smart Contract Audit
Tokenizing real-world assets sounds simple in a pitch deck and is anything but in production. The moment securities, commodities, and credit live on the same rails, a single smart-contract suite has to satisfy securities law, custody policy, lending economics, and ERC-20 plumbing at the same time ,and a single mistake can cascade across all of them. That is the problem Trusset is solving from Berlin, and it is the problem softstack was engaged to harden.
This article summarises what was audited, how the review was conducted, and what the headline outcomes were.
The Trusset Core Protocol spans six smart contract suites built from four distinct codebases, all written in Solidity and deployed as UUPS-upgradeable contracts on top of OpenZeppelin’s upgradeable libraries. Upgrades require both Trusset (platform authority) and the issuer to agree, separating platform and issuer control.
The audited scope:
– Stock Token License — ERC-3643 security tokens with KYC/AML identity registry integration, corporate actions, sub-issuer controls, and a force-transfer path for compliance interventions.
– Stock Lending — overcollateralized lending markets on the stock tokens, with interest rate model, price oracle, insurance fund, Dutch-auction liquidations, and a shared liquidation router.
– Commodity Token License — ERC-20 commodity tokens with reserve-enforced minting, a primary market sale module, and configurable physical or cash redemption.
– Commodity Orderbook License — hybrid custody for commodity-token trading with off-chain matching, on-chain settlement, batch trades, and liquidation routing under token-enforced compliance.
Two additional suites were covered by reference because they share audited codebases: the Commodity Token Lending suite shares the Stock Lending codebase, and the Stock Orderbook License shares the Commodity Orderbook codebase. Every finding and mitigation in this audit applies equally to the paired suites.
Softstack ran the engagement across roughly five weeks (kickoff 09.04.2026, final document 11.05.2026), in the same methodology applied to regulated financial infrastructure clients:
Headline results
Across the Core Protocol, 17 issues were identified, and all 17 were resolved:
– 10 high severity, all resolved
– 5 medium severity, all resolved
– 2 low severity, all resolved
No item was left open, and no item was closed as “acknowledged without fix”. For a stack of this size and regulatory ambition, that is the strongest possible outcome.
– Signature malleability and double-mint surface eliminated. Raw `ecrecover` in `CommodityTokenUpgradeable.executeMintRequestConditional` was replaced with OpenZeppelin’s `ECDSA.recover` and canonical `s`/`v` checks. This closes a path where a malleated signature could have been replayed to mint the same request twice.
– ERC-20 transfers hardened with SafeERC20. `CommodityCustody`, the Commodity Token Sale, and related payout paths previously used raw `IERC20.transfer` / `transferFrom` and assumed a bool return — a pattern that breaks against non-conforming tokens such as older USDT-style implementations. All paths now go through `SafeERC20`, with explicit failure semantics.
– Dutch-auction stale-price risk removed. Both H-05 and M-01 dealt with auctions settling against snapshots taken at creation. The settlement path now re-prices against the latest validated oracle reading and guards against divergence beyond a configured tolerance, closing a systemic bad-debt vector.
– Oracle replay shut down. `StockPriceOracle.updatePriceWithSignature` now enforces monotonic timestamps and rejects regressions, so previously-signed price messages cannot be replayed to reintroduce stale prices.
– Sub-issuer accounting stays in sync across stock splits. `stockSplit` now updates `_subIssuerMinted` and `_subIssuerCap` in lockstep with holder balances, so sub-issuers cannot be silently blocked from redeeming or issuing after a split.
– Settlement operator de-risked at the deployment layer. Per M-02, the `settlementOperator` on `CommodityCustody` was migrated from a single EOA to a multisig wallet combined with a timelock controller, with the change applied at the deployment level rather than via contract-code rewrite.
– `removeLiquidity()` now `whenNotPaused`. Closes an LP-bank-run path during emergency conditions in `StockLendingMarket`.
– `emergencyWithdraw()` gated by timelock. The Stock Insurance Fund withdrawal path now requires an announce-then-execute flow with a 48-hour delay, with explicit caps and event logging.
For a regulated tokenization platform, three things have to hold simultaneously: transfers must always respect compliance, credit must always respect collateral, and custody must always respect balances. Trusset’s architecture binds those three layers through a shared identity registry, a shared liquidation router, and a shared upgrade-governance model — which means that auditing them in isolation would have missed the most interesting bugs. Reviewing all four codebases under a single configuration is what allowed softstack to surface findings like sub-issuer accounting drift after stock splits and silent-catch fund misrouting in the custody-to-lending callback — issues that only manifest at the boundary.
Reaching a zero-open-issues state across ten high-severity items is the result of a disciplined engineering team. It is also the kind of audit posture that institutional clients, custodians, and regulators expect from anyone building credit and trading rails for real-world assets in 2026.
Softstack GmbH is a European cybersecurity and software development company headquartered in Flensburg, Germany, and founded in 2017. The firm provides smart contract audits, blockchain security reviews, Web3 penetration testing, digital asset risk assessments, and security consulting for DeFi protocols, stablecoin issuers, enterprises, custodians, banks, and regulated digital asset institutions. softstack is ISO 27001 certified and has completed 1,200+ audits across 20+ chains, securing more than $100B in TVL with zero known post-audit exploits.
Full audit report on Github