Securing RWAs: Smart Contract Audits For re.al, Tangible And Pearl  

We are thrilled to share that we’ve completed a total of seven Smart Contract Audits for the re.al and its featured ecosystem protocols: Tangible and Pearl. Hacken is excited to help secure these innovative RWA projects and enhance trust in the ecosystem.

• re.al is the DeFi-native L2 for tokenized RWAs, leveraging off-chain yields to build deep on-chain liquidity. It harnesses the power of DeFi composability to transform valuable, real-world assets, amplifying the impact of traditionally off-chain assets.
• Tangible is a leading tokenization protocol that brings valuable, real-world assets and yield on-chain. As a foundational component of the ecosystem, Tangible’s products provide uncorrelated, off-chain yield that powers other protocols.
• Pearl is the leading DEX for tokenized RWAs, optimizing swaps, liquidity, and incentives for its users. With the introduction of Pearl v2, it enhances its innovative, incentive-driven flywheel by adding concentrated liquidity and a proprietary Active Liquidity Manager.

Together, these protocols unleash the transformative powers of DeFi, driving the future of tokenized real-world assets. Hacken, a no stranger to equity tokenization itself, has audited these three projects, verifying their security.

re.al Audit Overview

re.al is a modular Ethereum Layer-2 scaling platform designed to revolutionize DeFi and Real World Assets (RWAs) by offering a blend of security, efficiency, and permissionless access to deep liquidity. Utilizing advanced cryptographic protocols and built with Arbitrum Orbit, re.al delivers lightning-fast transaction speeds, reduced gas costs, and enhanced throughput, all while maintaining Ethereum’s security standards. As a dedicated ecosystem for tokenized RWAs, re.al maximizes yield for ETH and DAI, shares all protocol revenue with token holders, and supports seamless interoperability across blockchain networks. It’s the optimal platform for users, developers, and institutions to explore and unlock the true potential of RWAs in the blockchain space.

re.al Smart Contract Audit

Hacken’s Smart Contract Audit of the RWA Ecosystem and reETH projects involved several smart contracts designed for managing tokenized real estate assets and yield farming, respectively. re.al engaged Hacken to conduct a comprehensive security audit of its Real DAI and Real ETH projects, which are built on the Ethereum Virtual Machine (EVM) using Solidity. Overall, Hacken auditors have examined contracts related to Escrow, Yield Farming, Token Rebase, ERC20, and ERC4626.

These projects aim to provide users with innovative yield-bearing tokens—Real DAI and Real ETH—that leverage rebase mechanisms and staking strategies to enhance their value and stability.

1. Real DAI

Real DAI is a rebase token built on the Real Network. It converts staked Dai in the escrow account on Layer 1 (L1) to MakerDAO DSR (DAI Savings Rate Earn Strategy). The harvested yield is then bridged to the Real Network (Layer 2, L2) and used to rebase the DAI token, providing a passive income stream to holders. Real DAI contracts:

• L1DaiEscrow.sol: Facilitates bridging DAI and harvested DSR rewards.
• L2Dai.sol: Manages rebasing and synchronization of token value across layers.
• DeployL1Escrow.s.sol and DeployL2Dai.s.sol: Deployment scripts for L1 and L2 contracts.

2. Real ETH

Real ETH is a native yield-bearing token for the re.al chain. It utilizes the ERC4626 standard for vault management, ensuring efficient handling of deposits, withdrawals, and yield optimization through various strategies, including staking and restaking protocols. Real ETH contracts:

• RealVault.sol: Manages deposits, withdrawals, and asset allocation using ERC4626.
• Minter.sol: Handles minting and burning of Real ETH tokens.
• StrategyManager.sol: Oversees asset yield strategies.
• LidoStEthStrategy.sol: Manages ETH yield through Lido staked ETH.
• SwapManager.sol: Facilitates token swaps via decentralized exchanges.

Audit Summary

The security review found no critical, high, medium, or low severity issues, all of which were addressed and resolved. The audit of the re.al smart contracts revealed strong documentation quality, with detailed technical descriptions and functional requirements provided, along with NatSpec comments. The code quality was excellent, adhering to best practices and official style guides, with a well-configured development environment. Test coverage was robust, covering deployment and basic user interactions, with a code coverage rate of over 92%. The overall assessment of the project reflects a high standard across documentation, code quality, test coverage, and security.

The full audit is available here.

Tangible Audit Overview

Tangible is a tokenization protocol that brings valuable, real-world assets and yields on-chain. Right now, Tangible is transitioning from Polygon to re.al., a permissionless L2 dedicated to tokenized RWAs.

About Tangible

Tangible is a tokenization protocol that brings real-world assets onto the blockchain. Through its TNFTs (Tangible non-fungible tokens), the platform enables the minting of RWAs, which can be traded, sold, or farmed for yield. These TNFTs, backed by assets like gold or real estate, can be redeemed by KYC’d users for the underlying physical assets.

Tangible addresses the market’s need for a liquid, efficient, and secure way to invest in alternative asset classes, bridging the gap between traditional assets and the crypto ecosystem. Payments are accepted in $USTB and $ETH.

Tangible Smart Contract Audit

Hacken has conducted two Smart Contract Audits for Tangible’s Basket Project, a tokenized real estate investment trust. These audits focused on the contracts responsible for storing NFTs, allowing investors to track and claim their NFT revenue, as well as the wrapped ERC-20 token and ERC-4626 standard, which offer cross-chain capabilities for the Basket Token.

The NFT storage contract is designed to securely store NFTs while enabling investors to monitor and claim the revenue generated by their assets. The Wrapped Baskets system includes smart contracts that facilitate the trading of Basket Tokens across multiple chains. The WrappedBasketToken contract, deployed on the same chain as the original Baskets, adheres to the ERC-4626 standard, supporting deposits and withdrawals while preserving the rebase-revenue mechanism. WrappedBasketTokenSatellite, deployed on various chains, allows for seamless trading of Basket Tokens across different networks, with interconnection facilitated by the LayerZero protocol.

Audit Goals

The smart contract audit conducted by a knowledgeable third party like Hacken was crucial for ensuring the security, reliability, and efficiency of Tangible’s transition to the re.al permissionless L2 blockchain. Given the complex mechanisms involved in Tangible’s TNFT ecosystem, including the Basket Project that allows users to store and generate revenue from NFTs, the audit aimed to identify and mitigate potential risks such as gas limit issues, external call vulnerabilities, and centralized control concerns. 

The Basket Project lets users create baskets to store Tangible NFTs, mainly focusing on revenue-generating Real Estate tokens. Revenue is accrued and distributed to holders via a rebase mechanism, incentivizing ownership. A BasketManager oversees creation, ensuring each basket’s uniqueness and managing a list of all baskets. Users can freely deposit NFTs for basket tokens, but redemptions are limited to one random NFT at a time, with randomness provided by Gelato VRF. The system owner has several privileges, including contract upgrades, reconfigurations, and managing VRF providers and rebase fees.

Audit Results

The final security report contains no critical, high, medium, or low severity issues. The codebase is well-documented, with comprehensive NatSpec coverage and up-to-date publicly available documentation, including setup instructions and a technical overview. The code quality is high, though it could benefit from moving some configuration functionality to a dependency contract and adding event emissions for certain configuration functions. Test coverage is robust, with an actual coverage estimated at around 90% despite some foundry coverage issues. 

By thoroughly reviewing the code quality, documentation, and security measures, the audit ensured that Tangible’s protocol remains robust, secure, and trustworthy as it continues to bridge the gap between traditional assets and the crypto ecosystem.

See the full audit reports here.

Pearl Audit Overview

Pearl is the native liquidity hub and automated market maker (AMM) on re.al, the only permissionless L2 dedicated to tokenized RWAs. Offering the deepest liquidity for tokenized RWAs, Pearl enables traders to benefit from concentrated liquidity, ensuring low slippage and optimal pricing, while liquidity providers can strategically focus on high-transaction bands to amplify returns. Pearl’s proprietary Active Liquidity Management (ALM) system, Trident, optimizes liquidity performance, mitigating risks like impermanent loss and maximizing rewards. Additionally, Pearl is the first AMM to calculate rewards for concentrated liquidity entirely on-chain, offering a transparent and dynamic incentive structure driven by off-chain yields from assets like real estate and US treasuries.

Pearl Smart Contract Audit

We have conducted three comprehensive smart contract audits for Pearl, focusing on different key functionalities within the ecosystem.

1. Voting, ERC-20, and Bridge Functionality

Our first audit focused on Pearl’s core governance and token operations, including the VotingEscrow and Vesting contracts. These contracts manage locked tokens for governance, allowing users to lock tokens in exchange for voting power, represented as NFTs. We also audited the Pearl token, an upgradeable, cross-chain fungible token designed for DeFi applications. Our audit confirmed that these contracts perform as intended, ensuring secure and efficient token management and governance.

2. Yield Farming and AMM DEX

The second audit reviewed Pearl’s NFT Farming protocol and its Automated Market Maker (AMM) DEX, which supports fee-on-transfer and rebase tokens. The Caviar farming protocol was also evaluated, where users invest in strategies to earn returns. Our audit validated the system’s ability to manage yield strategies, maintain liquidity, and distribute rewards securely, confirming the integrity of Pearl’s farming and DEX functionalities.

3. Liquidity Pool Management

In our third audit, we examined PearlV2’s liquidity provision system, particularly the GaugeV2 and GaugeV2ALM contracts. These contracts manage staking for liquidity providers in concentrated liquidity pools and handle the distribution of rewards. We also assessed the governance mechanisms that oversee gauge creation and reward distribution. Our audit confirmed that these contracts effectively manage liquidity and rewards, ensuring that Pearl’s liquidity provision operates securely and as intended.

These audits collectively ensure that Pearl’s contracts are robust, secure, and aligned with their intended behaviors, providing confidence in the system’s overall reliability

Conclusions

The successful completion of seven smart contract audits for the re.al ecosystem, including Tangible and Pearl, underscores Hacken’s commitment to ensuring the security and reliability of innovative DeFi and RWA projects. These audits have confirmed that the systems in place are robust, secure, and functioning as intended, providing a solid foundation for the continued growth and adoption of tokenized real-world assets.

As the DeFi landscape evolves, maintaining trust through rigorous security measures is crucial. Hacken remains dedicated to supporting projects that push the boundaries of what’s possible in blockchain technology