BRLT Solana program - Trace finance

1. Introduction

Trace Finance engaged Halborn to conduct a security assessment of their BRLT Solana program beginning on February 26th, 2026, and ending on February 27th, 2026. The security assessment was scoped to the Solana Programs provided in brlt-solana GitHub repository. Commit hashes and further details can be found in the Scope section of this report.

The BRLT (Brazilian Real Token) program is a Solana SPL Token built on the Token-2022 standard that implements a permissioned minting and burning system with role-based access control. The system is designed for regulated fiat-backed stablecoins where a central authority controls issuance, can freeze accounts for compliance, and can permanently remove tokens from blacklisted wallets—all role assignments are mutable and can be renounced by holders themselves.

2. Assessment Summary

Halborn was provided 2 days for the engagement and assigned one full-time security engineer to review the security of the Solana Programs in scope. The engineer is a blockchain and smart contract security expert with advanced smart contract hacking skills, and deep knowledge of multiple blockchain protocols.

The purpose of the assessment is to:

• Identify potential security issues within the Solana Programs.

• Ensure that smart contract functionality operates as intended.

In summary, Halborn identified some improvements to reduce the likelihood and impact of risks, which were addressed by the Trace Finance team. The main ones were the following:

• Ensure users without burner role cannot burn their tokens directly via the native burn instruction.

• Restrict the signer of the 'initialize' instruction to be a specific known address.

• Validate during the 'initialize' instruction that the provided mint is correctly configured.