Inside the Trusset Core Protocol Audit

How Softstack helped an RWA Platform Reach Zero Open Findings

Trusset Core Protocol Audit

Client

Trusset

Project

Tokenized Aset Infrastructure

Industry 

RWA / Blockchain

Service

Smart Contract Audit

Tokenizing real-world assets sounds simple in a pitch deck and is anything but in production. The moment securities, commodities, and credit live on the same rails, a single smart-contract suite has to satisfy securities law, custody policy, lending economics, and ERC-20 plumbing at the same time ,and a single mistake can cascade across all of them. That is the problem Trusset is solving from Berlin, and it is the problem softstack was engaged to harden.

This article summarises what was audited, how the review was conducted, and what the headline outcomes were.

Scope of the audit

The Trusset Core Protocol spans six smart contract suites built from four distinct codebases, all written in Solidity and deployed as UUPS-upgradeable contracts on top of OpenZeppelin’s upgradeable libraries. Upgrades require both Trusset (platform authority) and the issuer to agree, separating platform and issuer control.

The audited scope:

Stock Token License — ERC-3643 security tokens with KYC/AML identity registry integration, corporate actions, sub-issuer controls, and a force-transfer path for compliance interventions.

Stock Lending — overcollateralized lending markets on the stock tokens, with interest rate model, price oracle, insurance fund, Dutch-auction liquidations, and a shared liquidation router.

Commodity Token License — ERC-20 commodity tokens with reserve-enforced minting, a primary market sale module, and configurable physical or cash redemption.

Commodity Orderbook License — hybrid custody for commodity-token trading with off-chain matching, on-chain settlement, batch trades, and liquidation routing under token-enforced compliance.

Two additional suites were covered by reference because they share audited codebases: the Commodity Token Lending suite shares the Stock Lending codebase, and the Stock Orderbook License shares the Commodity Orderbook codebase. Every finding and mitigation in this audit applies equally to the paired suites.

How the audit was conducted

Softstack ran the engagement across roughly five weeks (kickoff 09.04.2026, final document 11.05.2026), in the same methodology applied to regulated financial infrastructure clients:

  1. Threat modelling — mapping the trust boundaries between issuers, sub-issuers, the Trusset DAO, oracles, lending markets, custody, settlement operators, and end investors, with explicit attention to MiCA and eWpG-aligned obligations.
  2. Manual code review — line-by-line analysis of every in-scope `.sol` file across the four codebases, with a focus on access control, upgradeability, compliance enforcement on every transfer path, oracle freshness and replay protection, lending and liquidation invariants, ERC-20 transfer robustness, signature handling, and CEI adherence.
  3. Automated security testing — static analysis and lint-style checks across all in-scope contracts, plus reproducible proof-of-concept tests for every High and Medium-severity finding.
  4. Claim verification — independent testing of the eight Trusset security claims covering access control, compliance enforcement, upgradeability safety, oracle integration, lending and liquidation safety, custody and settlement integrity, ERC-20 robustness, and general security.
  5. Remediation round — re-check against the final audited commits across the four production repositories (`trusset-stock-token-license`, `trusset-stock-lending`, `trusset-commodity-token-license`, `trusset-commodity-orderbook-license`).

Headline results

Across the Core Protocol, 17 issues were identified, and all 17 were resolved:

10 high severity, all resolved

5 medium severity, all resolved

2 low severity, all resolved

No item was left open, and no item was closed as “acknowledged without fix”. For a stack of this size and regulatory ambition, that is the strongest possible outcome.

Notable Fixes

Signature malleability and double-mint surface eliminated. Raw `ecrecover` in `CommodityTokenUpgradeable.executeMintRequestConditional` was replaced with OpenZeppelin’s `ECDSA.recover` and canonical `s`/`v` checks. This closes a path where a malleated signature could have been replayed to mint the same request twice.

ERC-20 transfers hardened with SafeERC20. `CommodityCustody`, the Commodity Token Sale, and related payout paths previously used raw `IERC20.transfer` / `transferFrom` and assumed a bool return — a pattern that breaks against non-conforming tokens such as older USDT-style implementations. All paths now go through `SafeERC20`, with explicit failure semantics.

Dutch-auction stale-price risk removed. Both H-05 and M-01 dealt with auctions settling against snapshots taken at creation. The settlement path now re-prices against the latest validated oracle reading and guards against divergence beyond a configured tolerance, closing a systemic bad-debt vector.

Oracle replay shut down. `StockPriceOracle.updatePriceWithSignature` now enforces monotonic timestamps and rejects regressions, so previously-signed price messages cannot be replayed to reintroduce stale prices.

Sub-issuer accounting stays in sync across stock splits. `stockSplit` now updates `_subIssuerMinted` and `_subIssuerCap` in lockstep with holder balances, so sub-issuers cannot be silently blocked from redeeming or issuing after a split.

Settlement operator de-risked at the deployment layer. Per M-02, the `settlementOperator` on `CommodityCustody` was migrated from a single EOA to a multisig wallet combined with a timelock controller, with the change applied at the deployment level rather than via contract-code rewrite.

 `removeLiquidity()` now `whenNotPaused`. Closes an LP-bank-run path during emergency conditions in `StockLendingMarket`.

`emergencyWithdraw()` gated by timelock. The Stock Insurance Fund withdrawal path now requires an announce-then-execute flow with a 48-hour delay, with explicit caps and event logging.

Why this matters

For a regulated tokenization platform, three things have to hold simultaneously: transfers must always respect compliance, credit must always respect collateral, and custody must always respect balances. Trusset’s architecture binds those three layers through a shared identity registry, a shared liquidation router, and a shared upgrade-governance model — which means that auditing them in isolation would have missed the most interesting bugs. Reviewing all four codebases under a single configuration is what allowed softstack to surface findings like sub-issuer accounting drift after stock splits and silent-catch fund misrouting in the custody-to-lending callback — issues that only manifest at the boundary.

Reaching a zero-open-issues state across ten high-severity items is the result of a disciplined engineering team. It is also the kind of audit posture that institutional clients, custodians, and regulators expect from anyone building credit and trading rails for real-world assets in 2026.

About Softstack

Softstack GmbH is a European cybersecurity and software development company headquartered in Flensburg, Germany, and founded in 2017. The firm provides smart contract audits, blockchain security reviews, Web3 penetration testing, digital asset risk assessments, and security consulting for DeFi protocols, stablecoin issuers, enterprises, custodians, banks, and regulated digital asset institutions. softstack is ISO 27001 certified and has completed 1,200+ audits across 20+ chains, securing more than $100B in TVL with zero known post-audit exploits.

Full audit report on Github

Services we provide

Softstack Case Studies

Click through our success stories and see how we have helped other companies
achieve their Web3 goals.