Skip to content

Latest commit

 

History

History
141 lines (81 loc) · 7.56 KB

README.md

File metadata and controls

141 lines (81 loc) · 7.56 KB

CMTA Token

[TOC]

Introduction

The CMTA token (CMTAT) is a framework enabling the tokenization of securities in compliance with Swiss law.

The CMTAT is an open standard from the Capital Markets and Technology Association (CMTA), and the product of collaborative work by leading organizations in the Swiss finance and technology ecosystem.

The present repository provides CMTA's reference implementation of CMTAT for Ethereum, as an ERC-20 compatible token.

The CMTAT is developed by a working group of CMTA's Technical Committee that includes members from Atpar, Bitcoin Suisse, Blockchain Innovation Group, Hypothekarbank Lenzburg, Lenz & Staehelin, Metaco, Mt Pelerin, SEBA, Swissquote, Sygnum, Taurus and Tezos Foundation. The design and security of the CMTAT was supported by ABDK, a leading team in smart contract security.

The preferred way to receive comments is through the GitHub issue tracker. Private comments and questions can be sent to the CMTA secretariat at [email protected]. For security matters, please see SECURITY.md.

Functionality

Overview

The CMTAT supports the following core features:

  • Basic mint, burn, and transfer operations
  • Pause of the contract and freeze of specific accounts

Furthermore, the present implementation uses standard mechanisms in order to support:

  • Upgradeability, via deployment of the token with a proxy
  • "Gasless" transactions
  • Conditional transfers, via a rule engine

This reference implementation allows the issuance and management of tokens representing equity securities.

To use the CMTAT, we recommend that you use the latest audited version, from the Releases page.

You may modify the token code by adding, removing, or modifying features. However, the mandatory modules must remain in place for compliance with Swiss law.

Deployment mode (With A Proxy)

With A proxy

The CMTAT supports deployment via a proxy contract. Furthermore, using a proxy permits to upgrade the contract, using a standard proxy upgrade pattern.

The contract version to use as an implementation is the CMTAT_PROXY.

Please see the OpenZeppelin upgradeable contracts documentation for more information about the proxy requirements applied to the contract.

Please see the OpenZeppelin Upgrades plugins for more information about upgrades plugins in general.

Note that deployment via a proxy is not mandatory, but recommended by CMTA.

Modules

Here the list of the differents modules with the links towards the documentation and the main file.

Mandatory

Name Documentation Main File
BaseModule base.md BaseModule.sol
BurnModule burn.md BurnModule.sol
ERC20BaseModule erc20base.md ERC20BaseModule.sol
MintModule mint.md MintModule.sol
PauseModule pause.md PauseModule.sol

*not imported by default

Security

Name Documentation Main File
AuthorizationModule authorization.md AuthorizationModule.sol

Security

Vulnerability disclosure

Please see SECURITY.md.

Module

See the Section Modules/Security.

The Access Control is managed inside the module AuthorizationModule.

Audit

The contracts have been audited by ABDKConsulting, a globally recognized firm specialized in smart contracts' security.

First audit - September 2021

Fixes of security issues discovered by the initial audit were reviewed by ABDK and confirmed to be effective, as certified by the report released on September 10, 2021, covering version c3afd7b of the contracts. Version 1.0 includes additional fixes of minor issues, compared to the version retested.

A summary of all fixes and decisions taken is available in the file CMTAT-Audit-20210910-summary.pdf

Second audit - March 2023

The second audit was performed by ABDK on the version 2.2.

The release 2.3 contains the different fixes and improvements related to this audit.

The temporary report is available in the file Taurus. Audit 3.1. Collected Issues.ods.

Tools

You will find the report performed with Slither in the file slither-report.md

Test

  • You will find a summary of all automatic tests in the file test.pdf
  • A code coverage is available in the file index.html

For information, we do not perform tests on the internal functions init of the different modules.

Remarks

As with any token contract, access to the owner key must be adequately restricted. Likewise, access to the proxy contract must be restricted and seggregated from the token contract.

Documentation

Here a summary of the main documentation

Document Link/Files
Documentation of the modules API. doc/modules
Documentation on the toolchain doc/TOOLCHAIN.md
How to use the project doc/USAGE.md
Project architecture doc/general/architecture.md

CMTA will release further documentation describing the CMTAT framework in a platform-agnostic way, and coveging legal aspects, see

Intellectual property

The code is copyright (c) Capital Market and Technology Association, 2018-2023, and is released under Mozilla Public License 2.0.