softstack, an European cybersecurity and software development firm, has completed an independent security audit of the Trusset Core Protocol.
softstack, a leading European cybersecurity and software development firm, has completed an independent security audit of the Trusset Core Protocol, the on-chain infrastructure that powers Trusset’s tokenization, trading, and credit platform for regulated real-world assets. The engagement covered six smart contract suites across four distinct Solidity codebases and identified 17 issues across the protocol, every single one of which has been resolved in close collaboration with the Trusset engineering team.
The audit combined manual expert review with automated security testing and addressed the areas most material to a regulated, MiCA- and eWpG-aligned tokenization stack: ERC-3643 transfer compliance, KYC/AML identity registry integration, UUPS upgradeability under a Trusset DAO / issuer governance model, oracle price integrity, overcollateralized lending and Dutch-auction liquidations, hybrid orderbook custody, and ERC-20 transfer robustness. All eight of Trusset’s pre-audit security claims were independently verified.
Also Read: CIO Influence Interview with Hugo Dozois-Caouette, CTO and Co-founder at MaintainX
Audit Scope
– Stock Token License: ERC-3643 security tokens with corporate actions, sub-issuer controls, and compliance-enforced force transfers
– Stock Lending: overcollateralized lending markets with interest rate model, price oracle, insurance fund, Dutch-auction liquidations, and shared liquidation router
– Commodity Token License: ERC-20 commodity tokens with reserve-enforced minting and a primary market sale module
– Commodity Orderbook License: hybrid custody with off-chain matching, on-chain settlement, and token-enforced compliance
Two further suites were covered by reference: Commodity Token Lending shares the audited Stock Lending codebase, and the Stock Orderbook License shares the audited Commodity Orderbook codebase, so every finding and mitigation applies equally to the paired suites.
Results
– 17 issues identified: 17 resolved (10 High, 5 Medium, 2 Low)
– No remaining open or acknowledged-without-fix findings
– All fixes verified on the final audited commits across the four production repositories
“Trusset is built for regulated finance, and that meant the audit had to be uncompromising. softstack treated every contract path as if a regulator would read it, and the depth of the review is exactly what gave us and our partners the confidence to move forward.”
> Paul Ilami, CEO, Trusset
“Tokenized securities and commodities are some of the hardest systems to get right because compliance, custody, and credit all sit on the same rails. Trusset moved through every finding methodically and shipped fixes that hold up. Reaching a zero-open-issues state across ten high-severity items is the result of a serious engineering team.”
> Yannik Heinze, CEO, softstack GmbH
Catch more CIO Insights: What Does “Job-Ready” Really Mean in IT and Cybersecurity?
[To share your insights with us, please write to psen@itechseries.com ]
