Securitize - SCA (RWA Token) - Securitize

1. Introduction

Securitizeengaged Halborn to conduct a security assessment on their RWA Token Solana program beginning on February 10th, 2025, and ending on March 7th, 2025. The security assessment was scoped to the Solana Program provided in rwa-token GitHub repository. Commit hashes and further details can be found in the Scope section of this report.

The RWA Token is a suite of programs designed to issue and manage the lifecycle of real-world asset tokens. It consists of the following programs:

• Asset Controller: Manages core asset operations and enforces standardized transfer controls. It mints assets using the Token-2022 Standard (Token Extensions) with the Transfer-Hook and Permanent Delegate extensions. These features allow issuers to maintain control over tokens throughout their lifecycle, enabling actions such as freezing, seizing, and regulating transactions based on identity permissions.

• Identity Registry: Provides a flexible identity issuance and tracking system to facilitate on-chain transaction permissioning. It is designed to support various regulatory frameworks by assigning identity levels to users. The issuer defines the meaning of these identity levels based on the specific requirements of their offering.

• Policy Engine: Serves as an on-chain policy enforcement mechanism, ensuring transactions comply with identity-based restrictions. It validates transactions via the transfer-hook integrated into the program, enforcing regulatory and issuer-defined policies.

2. Assessment Summary

Halborn was provided 18 days for the engagement and assigned two full-time security engineers to review the security of the Solana Programs in scope. The engineers are blockchain and smart contract security experts with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

• Identify potential security issues within the Solana Programs.

• Ensure that smart contract functionality operates as intended.

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were partially addressed by the Securitize team. The main ones are the following:

• Add a verification to ensure the signer is an expected and trusted entity.

• Close all related accounts when the mint is closed or preventing mint closure altogether to maintain proper tracking of associated accounts.

• Add a check to ensure the authority of the revoke_token_account matches the identity owner or the wallet of the wallet identity.

• Add a validation to ensure the total amount of the tracker_account for the identity_account to be closed is zero.

• Ensure the delegation functionality is implemented consistently across all programs or remove it entirely if it is not needed.

• Require the wallet account to be a signer in the transaction, verifying its legitimacy and ownership.

• Verify that new counters have unique IDs.

• Adapt counters removal to remove counters based on IDs instead of vector indices.

  
  

3. Test Approach and Methodology

Halborn performed a combination of a manual review of the source code and automated security testing to balance efficiency, timeliness, practicality, and accuracy in regard to the scope of the program assessment. While manual testing is recommended to uncover flaws in business logic, processes, and implementation; automated testing techniques help enhance coverage of programs and can quickly identify items that do not follow security best practices.

The following phases and associated tools were used throughout the term of the assessment:

• Research into the architecture, purpose, and use of the platform.

• Manual program source code review to identify business logic issues.

• Mapping out possible attack vectors

• Thorough assessment of safety and usage of critical Rust variables and functions in scope that could lead to arithmetic vulnerabilities.

• Scanning dependencies for known vulnerabilities (cargo audit).