← All research

Security Checklist

Tokenized Asset Security Checklist

A practical control review for teams launching tokenized securities, funds, stablecoins, settlement contracts, custody flows, or other regulated on-chain financial products.

Request security review Discuss checklist
01

Issuer Authority

  • Mint, burn, forced transfer, clawback, pause, and halt authority is isolated by role.
  • Critical role changes use a two-step handoff and emit clear operational events.
  • No single operational role can change compliance rules and move assets unilaterally.
02

Compliance Controls

  • Transfers enforce sender, recipient, and instrument eligibility before state changes.
  • Locks, freezes, hard walls, and soft walls have explicit precedence rules.
  • Restriction cleanup is deterministic and leaves an auditable trail.
03

Settlement Logic

  • Available balance is distinct from ledger balance and accounts for pending holds.
  • Batch settlement is idempotent and protected against duplicate processing.
  • External identifiers, references, and participant-agent flows cannot be replayed or misrouted.
04

Custody And Wallets

  • Registrant, custodian, broker, and wallet authority are modeled explicitly.
  • Custody permissions cannot bypass holder restrictions unless the legal workflow requires it.
  • Signing policies, multisig assumptions, and smart-account upgrade paths are reviewed.
05

Corporate Actions

  • Splits, reverse splits, adjustment factors, and fractionalization rules preserve accounting invariants.
  • Rounding behavior is documented and tested around edge balances.
  • Historical balances and event trails remain interpretable after adjustments.
06

Emergency And Upgrade Risk

  • Pause and halt controls are narrow, reversible, and tested against critical workflows.
  • Upgrade authority has delay, review, and rollback procedures appropriate for the asset class.
  • Monitoring covers privileged actions, failed settlement, oracle drift, and abnormal transfer patterns.
Get Started

Secure your
on-chain protocol

Talk to ResearchZero about your smart contracts, institutional DeFi protocol, tokenized asset system, stablecoin, bridge, custody wallet, or blockchain settlement infrastructure.

contact@researchzero.io

// Confidential scoping. Response within 24 hours.