Last month, CMTA released version 3.1.0 of the Solidity implementation of CMTAT, adding functionality and improving interoperability. CMTAT (CMTA Token) is an open-source token standard designed to support compliant issuance and lifecycle management of tokenized financial instruments.

Ahead of the v3.1.0 release, the UBS team and CMTAT developers ran Nethermind’s AuditAgent, an automated pre-audit analysis tool, on the code repository. While this does not replace a traditional security audit, it helps improve code quality and reduce potential issues ahead of a full audit. For several releases now, CMTAT has included static analysis reports (Slither and Aderyn) with each release to strengthen code quality and security. The Nethermind AuditAgent serves as an excellent complement to these tools, helping identify issues that static analyzers may not detect. The review was carried out on the development branch of CMTAT's Solidity GitHub repository, scanning 75 contracts and 5999 lines of code. The agent produced a report identifying 14 findings, with highlighted code references, explanations and a severity note summary.

Following the report, CMTAT developers at Taurus SA conducted a detailed review of each finding, providing responses that clarify whether issues require remediation or reflect intentional design decisions.

AuditAgent had been used on the CMTAT before. UBS, which uses CMTAT for tokenization, previously employed the tool on version 3.0.0. That review surfaced a few issues, of which some were addressed before release and others resolved in the newly published v3.1.0 update.

Overall, the tool demonstrated impressive depth, uncovering issues embedded within the codebase that might not be immediately apparent. In some cases, however, the reported severity felt overstated, particularly for functions already safeguarded by strict access controls. Still, the feedback remained relevant and thought-provoking, offering meaningful insights.

The process of reviewing the findings proved especially valuable in validating design considerations. It reaffirmed the soundness of many choices while highlighting areas for possible refinement in future releases.

Jean-Philippe Aumasson, Chair of CMTA's Tech Committee and co-Founder and CSO at Taurus SA explains, “With Nethermind’s AI-supported analysis, we’re raising the assurance bar for tokenized securities and CMTAT, which is the most robust and versatile standard in the space. Thanks to Nethermind for the depth of the work and to UBS for supporting a model where innovation and security move together.”

Tomasz Kurowski, Head of Enterprise Business at Nethermind, comments: "We’re proud to have supported CMTA and UBS in applying AuditAgent to a real institutional CMTAT workflow and standard while helping automate and strengthen the smart contract review process with speed, consistency, and clear traceability. AuditAgent combines AI-assisted analysis with structured security checks to identify issues early and produce actionable remediation guidance, enabling teams to move from assessment to resolution faster. This collaboration reflects Nethermind’s strategy of raising the bar for institutional blockchain adoption by contributing to stronger security practices and the standards that make the ecosystem more resilient. We look forward to continuing our work with CMTA and UBS to accelerate safe, compliant innovation across the institutional digital asset space."

The AuditAgent reports, as well as CMTA's comments on the reports are available in the GitHub repository. Transparency encourages broader scrutiny, supports industry trust, and reinforces CMTA’s commitment to open, verifiable standards. As with any open-source codebase, publicly available code benefits from having been "battle-tested" by other users, but also increases the importance of rigorous security practices. Ongoing scrutiny is a core part of keeping open-source financial infrastructure trustworthy.

This v3.1.0 review was conducted using AuditAgent as part of an evaluation of the CMTAT codebase. The AuditAgent is an automated pre-audit smart security analysis solution built to help enterprises triage and rapidly analyze smart contracts, available to organizations working with blockchain systems.

Links:

• The Nethermind AuditAgent reports and CMTA's commentary (authored by Ryan Sauge at Taurus SA) on the report are available here: https://github.com/CMTA/CMTAT/tree/v3.1.0/doc/audits/tools/nethermind-audit-agent