v3.3.0-rc1

Note: This version has not been audited.

Smart contract

Added

• New base contract CMTATBaseDocument:
  • Introduced as contracts/modules/1_CMTATBaseDocument.sol.
  • Isolates document-management authorization (_authorizeDocumentManagement) from CMTATBaseAccessControl.
  • Composes DocumentERC1643Module on top of the rule-engine base path.
• Stateful RuleEngine transfer hook support (testing/mocks):
  • Added IRuleTransferHook (contracts/mocks/RuleEngine/interfaces/IRuleTransferHook.sol) to allow rules to update rule-local state on transfer callbacks.
  • Added RuleTokenHolderTracker (contracts/mocks/RuleEngine/RuleTokenHolderTracker.sol) to track holder balances/list in rule storage.
  • RuleEngineMock now wires the holder-tracker rule and executes transfer hooks in transferred(...) paths.

Changed

• ERC-1643 document identifier format aligned to bytes32 (breaking API change for document functions):
  • Previous CMTAT variant (e.g. v3.2.0) used string for document names in IERC1643 (getDocument(string), getAllDocuments() -> string[]).
  • Current implementation uses bytes32 document names (getDocument(bytes32), getAllDocuments() -> bytes32[]) and exposes setDocument(bytes32,string,bytes32) / removeDocument(bytes32) with associated events.
  • CMTAT terms remain on the modified CMTAT structure: IERC1643CMTAT.DocumentInfo still uses string name for tokenization terms metadata (setTerms path).
• Base hierarchy refactor (strict dependency-order levels):
  • CMTATBaseDocument at level 1 (contracts/modules/1_CMTATBaseDocument.sol).
  • CMTATBaseAccessControl at level 2 (contracts/modules/2_CMTATBaseAccessControl.sol) and now inherits CMTATBaseDocument.
  • CMTATBaseAllowlist and CMTATBaseRuleEngine at level 3.
  • CMTATBaseDebt and CMTATBaseERC1404 at level 4.
  • CMTATBaseERC20CrossChain at level 5.
  • CMTATBaseERC2612, CMTATBaseERC2771, CMTATBaseDebtEngine at level 6.
  • CMTATBaseERC2771Snapshot, CMTATBaseERC7551Enforcement at level 7.
  • CMTATBaseERC1363, CMTATBaseERC7551 at level 8.
• CMTATBaseCommon no longer inherits DocumentERC1643Module.
• CMTATBaseAccessControl now defines _authorizeDocumentManagement and enforces DOCUMENT_ROLE.
• Updated impacted imports and deployment references to match the new module numbering/layout.
• ERC20CrossChain burn-path cleanup (no external API change):
  • Removed redundant crosschainBurn override from CMTATBaseERC20CrossChain; level-5 now uses ERC20CrossChainModule.crosschainBurn directly.
  • Removed redundant sender-aware burn override from CMTATBaseERC20CrossChain; burn/burnFrom sender-aware flow now relies on the module implementation.
  • In ERC20CrossChainModule, simplified internal self-burn routing and renamed helper _burnWithSender to _burnFromOperator for clearer intent.
• Meta-tx _msgData ERC1363 test path adjusted to avoid bytecode-size deployment failures:
  • Slimmed CMTATUpgradeableERC1363MsgDataMock.getMsgData() by removing event emission and using a view return path.
  • Reworked test/standard/modules/MetaTxMsgDataERC1363.test.js to validate trusted-forwarder calldata shape directly instead of relying on event parsing.

Fixed

• Fixed compile-path inconsistencies caused by stale numbered imports after base-level refactor.
• Restored full compilation after engine/mock alignment:
  • CMTATEngineInitializerMock no longer calls unavailable document-engine initializer on snapshot path.
  • DocumentEngineMock now implements IERC1643-compatible setDocument(bytes32,string,bytes32).

Documentation

Changed

• Updated base-module hierarchy and file references in doc/README.md to reflect:
  • 1_CMTATBaseDocument.sol
  • 2_CMTATBaseAccessControl.sol
  • 3_CMTATBaseAllowlist.sol
  • 3_CMTATBaseRuleEngine.sol
  • 4_CMTATBaseDebt.sol
  • 4_CMTATBaseERC1404.sol
  • 5_CMTATBaseERC20CrossChain.sol
  • 6_CMTATBaseERC2612.sol
  • 6_CMTATBaseERC2771.sol
  • 6_CMTATBaseDebtEngine.sol
  • 7_CMTATBaseERC2771Snapshot.sol
  • 7_CMTATBaseERC7551Enforcement.sol
  • 8_CMTATBaseERC1363.sol
  • 8_CMTATBaseERC7551.sol
• Updated doc/README.md ERC-1643 section to use current bytes32 API signatures (getDocument(bytes32), getAllDocuments() returns (bytes32[])) with compatibility note for IERC1643CMTAT.DocumentInfo.name (string).
• Updated contracts tree file .claude/tree/contracts_tree.txt.
• Added technical clarification for freeze-event semantics across standards:
  • doc/technical/erc-7943-uRWA-integration.md now explicitly documents that base Frozen(account, amount) is a normalized frozen-state update event (including unfreeze updates), while direction should be derived from ERC-3643/7551 directional events.
  • doc/technical/erc-3643-implementation.md now documents the event-layering model (Frozen base state update + TokensFrozen/TokensUnfrozen directional wrappers).

Testing

Added

• Added dedicated stateful RuleEngine rule test coverage in test/standard/modules/RuleEngineMockStatefulRule.test.js:
  • verifies holder-balance tracking and holder-list transitions through transfer hook callbacks.
• Added initializer edge-case tests for DocumentEngineModule and SnapshotEngineModule:
  • test/common/DocumentModule/DocumentModuleSetDocumentEngineCommon.js: covers zero-engine assignment and re-initialization revert paths.
  • test/common/SnapshotModuleCommon/SnapshotModuleSetSnapshotEngineCommon.js: covers zero-engine assignment and re-initialization revert paths.
• Added standard initializer branch tests in test/deployment/deployment.test.js:
  • manual initialization path, initialization with rule engine, and double-initialize revert.
• Added interface and initializer coverage across deployment test suites:
  • test/common/CMTATIntegrationCommon.js: extended integration paths.
  • test/deployment/erc721mock.test.js: ERC-721 generic initializer and interface paths.
  • Light/core, standard, permit, ERC-1363, snapshot, and document deployment suites.
• Added edge-case coverage for core transfer and approve paths:
  • test/common/ERC20BaseModuleCommon.js: zero-value transfers and explicit approve coverage.
  • test/common/AllowlistModuleCommon.js: explicit canSend/canReceive matrix including zero-value transfers.
• Extended test/common/AllowlistModuleCommon.js, test/common/DocumentModule/DocumentModuleCommon.js, and test/common/ERC20EnforcementModuleCommon.js with additional edge-case tests.

Fixed

• Removed hardcoded gasLimit: 30_000_000 override from deployCMTATERC1363Standalone in test/deploymentUtils.js. The explicit override exceeded the Prague/Fusaka per-transaction gas cap (FUSAKA_TRANSACTION_GAS_LIMIT = 16,777,216) enforced by Hardhat ≥ 2.28, causing a ProviderError on every ERC-1363 standalone test run. Auto-estimated gas is well within the cap for this contract.

Documentation

Changed

• Updated test count references in README.md and doc/README.md: 3,078 → 5,630 automated tests.
• README.md: added hyperlinks to all ERC standard references in the features table; expanded the Supported Financial Instruments table (added Snapshot, DebtEngine, ERC-1363, and UUPS variants; clarified Allowlist entry); added Contract Sizes section with deployed/initcode sizes for all deployment variants; corrected UUPS standalone note.
• SECURITY.md: expanded responsible disclosure policy.
• doc/README.md and doc/SUMMARY.md: updated module-level documentation and surya reports to reflect current hierarchy and coverage results.
• Updated code coverage reports in doc/test/coverage/ after full test run.

v3.3.0-rc0

Note: This version has not been audited.

Smart contract

Added

• New base contract CMTATBaseERC2612 (contracts/modules/4_CMTATBaseERC2612.sol) combining:
  • ERC-2612 Permit: gasless approvals via EIP-712 signature (permit), gated by CMTAT pause and freeze validation.
  • ERC-6357 Multicall: batch multiple contract calls into a single transaction (multicall).
• New deployment variants: CMTATStandalonePermit and CMTATUpgradeablePermit (contracts/deployment/permit/), based on CMTATBaseERC2612.
• New module ERC20EnforcementERC7551Module (contracts/modules/wrapper/options/ERC20EnforcementERC7551Module.sol):
  • Splits ERC-7551 specific enforcement out of ERC20EnforcementModule (see Changed).
  • Provides bytes data overloads for forcedTransfer, freezePartialTokens, unfreezePartialTokens (as required by IERC7551ERC20Enforcement).
  • Provides getActiveBalanceOf and overrides getFrozenTokens to satisfy both IERC7551ERC20Enforcement and IERC3643ERC20Enforcement.
• New validation contract ValidationModuleAllowance (contracts/modules/wrapper/extensions/ValidationModule/ValidationModuleAllowance.sol):
  • Validates allowance authorization (approve and permit): reverts if the contract is paused or if owner/spender is frozen.
  • Used in CMTATBaseERC2612.permit to enforce CMTAT compliance checks before setting the allowance.
• New mixin CMTATBaseSnapshot (contracts/modules/0_CMTATBaseSnapshot.sol):
  • Pure ERC-20 + SnapshotEngineModule mixin providing the _update hook for historical balance tracking.
  • Designed to be composed into deployment variants that require snapshot support.
• New base contract CMTATBaseERC2771Snapshot (contracts/modules/6_CMTATBaseERC2771Snapshot.sol):
  • Combines CMTATBaseERC2771 with CMTATBaseSnapshot, resolving all ERC-20 / snapshot disambiguation overrides.
  • Used as the foundation for snapshot-enabled standard deployment variants.
• New base contract CMTATBaseERC7551Enforcement (contracts/modules/6_CMTATBaseERC7551Enforcement.sol):
  • Combines CMTATBaseERC2771 with ERC20EnforcementERC7551Module.
  • Exposes ERC-7551 enforcement functions (forcedTransfer/freezePartialTokens/unfreezePartialTokens with bytes) and getActiveBalanceOf in Standard deployments.
• New deployment variants CMTATStandaloneSnapshot and CMTATUpgradeableSnapshot (contracts/deployment/snapshot/):
  • Standard CMTAT feature set plus SnapshotEngine support for historical balance queries.

Changed

• ERC20EnforcementModule: Removed IERC7551ERC20Enforcement interface inheritance and the ERC-7551 specific functions (getActiveBalanceOf, forcedTransfer(address,address,uint256,bytes), freezePartialTokens(address,uint256,bytes), unfreezePartialTokens(address,uint256,bytes)). These are now in ERC20EnforcementERC7551Module. The module now implements only IERC3643ERC20Enforcement and IERC7943FungibleEnforcementSpecific.
• ERC-7551 event model alignment:
  • IERC7551ERC20EnforcementEvent now exposes ForcedTransfer(address operator, address from, address to, uint256 value, bytes data) (replacing the legacy Enforcement(...) event shape).
  • ERC-7551 event emission was removed from ERC20EnforcementModuleInternal and is now emitted in ERC-7551 specific paths (ERC20EnforcementERC7551Module, and CMTATBaseCore.forcedBurn).
• CMTATBaseERC7551: Updated to inherit from ERC20EnforcementERC7551Module (instead of relying on ERC20EnforcementModule alone) to expose ERC-7551 bytes-data enforcement functions and getActiveBalanceOf. Added explicit diamond-inheritance disambiguation overrides for _msgSender, _msgData, _contextSuffixLength, _update, transfer, transferFrom, approve, name, symbol, decimals, and getFrozenTokens.
• CMTATBaseERC7551: Promoted to level 7 (contracts/modules/7_CMTATBaseERC7551.sol) and now inherits from CMTATBaseERC7551Enforcement.
• CMTATBaseERC1363: Promoted to level 7 (contracts/modules/7_CMTATBaseERC1363.sol) and now inherits from CMTATBaseERC7551Enforcement so ERC-1363 deployments keep the standard ERC-7551 enforcement path.
• CMTATStandardStandalone and CMTATStandardUpgradeable now inherit from CMTATBaseERC7551Enforcement, so Standard deployments expose ERC-7551 enforcement functions.
• CMTATUpgradeableUUPS inheritance remains unchanged (no CMTATBaseERC7551Enforcement).
• CMTATBaseAllowlist: Now composes ERC20EnforcementERC7551Module, so Allowlist deployments also expose ERC-7551 enforcement functions (forcedTransfer/freezePartialTokens/unfreezePartialTokens with bytes) and getActiveBalanceOf.
• EnforcementModuleInternal: Hardened freeze-list writes by rejecting address(0) in _addAddressToTheList (new CMTAT_Enforcement_ZeroAddressNotAllowed custom error), preventing misuse of setAddressFrozen / batchSetAddressFrozen on the zero address.
• ERC20EnforcementModuleInternal: Hardened partial freeze paths by rejecting address(0) in _freezePartialTokens and _unfreezePartialTokens (new CMTAT_ERC20EnforcementModule_ZeroAddressNotAllowed custom error).
• CMTATBaseDebtEngine: Now inherits from both CMTATBaseERC20CrossChain and CMTATBaseSnapshot, adding SnapshotEngine support to the Debt variant. Adds _authorizeSnapshots and disambiguation overrides for _update, transfer, transferFrom, approve, name, symbol, decimals.
• CMTATBaseDebt: Restored SnapshotEngine support by inheriting CMTATBaseSnapshot and adding the required disambiguation/authorization overrides (approve, transfer, transferFrom, decimals, name, symbol, _update, _authorizeSnapshots) so Debt deployments expose snapshotEngine / setSnapshotEngine again.
• RuleEngine operator propagation for cross-chain burn flows:
  • burn now preserves and propagates _msgSender() through the transfer-compliance hook so spender-aware RuleEngine checks are enforced for operator-initiated burns.
  • burnFrom now preserves and propagates _msgSender() through the transfer-compliance hook so spender-aware RuleEngine checks are enforced for allowance-based delegated burns.
  • crosschainBurn now follows the same operator propagation model for consistency with burnFrom.
  • mint and crosschainMint now also propagate _msgSender() so spender-aware RuleEngine checks apply consistently to operator-initiated mint flows.
• ERC-7943 interface update — breaking changes aligned with the updated ERC-7943 specification:
  • canTransact(address) removed; replaced by canSend(address) and canReceive(address) in ValidationModule, implementing the new IERC7943FungibleSendReceiveCheck interface. Both currently delegate to the same underlying eligibility check (frozen status + allowlist), but allow future asymmetric access policies.
  • ERC7943CannotTransact error removed; replaced by directional errors ERC7943CannotSend (emitted when a sender, spender, or burn source is blocked) and ERC7943CannotReceive (emitted when a recipient or mint target is blocked), defined in IERC7943FungibleSendReceiveError.
  • Internal _canTransact split into _canSend and _canReceive (both virtual, overridden in ValidationModuleAllowlist).
  • _canMintBurnByModuleAndRevert split into _canMintByModuleAndRevert (reverts with ERC7943CannotReceive) and _canBurnByModuleAndRevert (reverts with ERC7943CannotSend).
  • Interface names: IERC7943TransactError → IERC7943FungibleSendReceiveError; IERC7943TransactCheck → IERC7943FungibleSendReceiveCheck.
  • ERC-7943 ERC-165 interface ID updated: 0x29388973 → 0x3edbb4c4.

Testing

Added

• New test files for the Permit deployment variants: test/deployment/permit/deploymentPermitStandalone.test.js, test/deployment/permit/deploymentPermitUpgradeable.test.js.
• New common test modules: test/common/PermitModuleCommon.js, test/common/MulticallModuleCommon.js.

Changed

• test/common/AllowlistModuleCommon.js: updated to cover new allowance validation behavior and ERC-7943 directional errors.
• test/common/ERC20BaseModuleCommon.js: updated to cover updated approve validation and ERC-7943 directional errors.
• test/common/EnforcementModuleCommon.js, test/common/PermitModuleCommon.js, test/common/ERC20BurnModuleCommon.js, test/common/ERC20MintModuleCommon.js, test/common/ERC20CrossChainModuleCommon.js: replaced canTransact calls with canSend; replaced ERC7943CannotTransact revert expectations with the appropriate directional error (ERC7943CannotSend or ERC7943CannotReceive).
• test/utils.js: updated IERC7943_INTERFACEID to 0x3edbb4c4.
• test/deployment/erc721mock.test.js: updated to ERC7943CannotReceive.
• Deployment test wiring updated after snapshot-module extraction:
  • Removed snapshot common test calls from non-snapshot deployment suites where snapshotEngine() is not exposed (ERC-7551 and ERC-1363 proxy deployment suites).
  • Added dedicated ERC-7551 enforcement common tests (test/common/ERC20EnforcementERC7551ModuleCommon.js) and wired them to ERC-7551 deployment suites.
  • Added zero-address rejection coverage for enforcement freeze entry points in test/common/EnforcementModuleCommon.js (setAddressFrozen overloads and batchSetAddressFrozen).
  • Added zero-address rejection coverage for partial freeze entry points in test/common/ERC20EnforcementModuleCommon.js (freezePartialTokens / unfreezePartialTokens, with and without reason).
  • Added RuleEngine spender-propagation coverage for burn and batchBurn (test/common/ERC20BurnModuleCommon.js) to validate operator-aware checks.
  • Added batchBurn exact-balance edge-case ...

v3.2.0

Note: This version has not been audited.

Issue

• Known issue for this release
  Frozen tokens may exceed balance and break active-balance assumptions (medium)
• Operator/Spender Identity Lost in RuleEngine Hooks (burn/mint/cross-chain) (low)

Smart contract

Added

• Support of ERC-7943 (#337):
  • New functions setFrozenTokens and canTransact in the enforcement module.
  • New error ERC7943InsufficientUnfrozenBalance in ERC20EnforcementModule.
  • Emit ERC-7943 enforcement events (TokensFrozen, TokensUnfrozen).
  • ERC-7943 ERC-165 interface ID support.
• New dedicated deployment variant with DebtEngine support (see Removed section for rationale).
• IRuleEngine: ERC-165 support added (#342) to enable interface compliance checks.
  • New interface IRuleEngineERC1404 inheriting from both IERC1404Extend and IRuleEngine.
  • Library contracts RuleEngineInterfaceId and ERC1404ExtendInterfaceId to store ERC-165 interface IDs.
• New base contract CMTATBaseAccessControl (#350).

Changed

• Transfer now reverts with specific errors when the contract is paused or deactivated (#338) to improve error clarity.
• The approve function now reverts when the contract is paused for all deployment variants except Light (#335).
• ValidationModule: Optimized code size by removing useless boolean returns.
• Updating contract address comparisons (Solidity v3.2.0).
• Replaced CMTAT library errors with ERC-7943 specific errors.
• Renamed custom errors for consistency.

Fixed

• Wake Arena audit (M1/M2/M3): Removed redundant CMTATBaseRuleEngine._checkTransferred calls in CMTATBaseERC20CrossChain._mintOverride, _burnOverride, and _minterTransferOverride. The rule-engine compliance hook was being executed twice per operation; the single authoritative call in the CMTATBaseCommon parent overrides is now sufficient. #354
• Wake Arena audit (I1): Corrected NatSpec comment in CMTATBaseERC20CrossChain._authorizeSelfBurn which incorrectly referenced BURNER_FROM_ROLE instead of BURNER_SELF_ROLE.

NatSpec / Comments

• Wake Arena audit (L1): Added clarifying comment in ERC20BaseModule.transferFrom and updated IERC20Allowance.Spend event NatSpec to state that the event is not emitted when the allowance is infinite (type(uint256).max), as no deduction occurs in that case.
• Wake Arena audit (L2): Added NatSpec warning on approve in CMTATBaseAllowlist documenting the standard ERC-20 allowance race condition and advising callers to set the allowance to zero before assigning a new non-zero value.

Removed

• DocumentEngine and SnapshotEngine removed from constructors and initialization (#343) to simplify deployment and reduce bytecode size.
• DebtDeployment: DebtEngine support removed and moved to a dedicated deployment variant (#339) to reduce contract size and enable additional modules in DebtEngine-based deployments.
• CMTAT Errors library removed, errors are now defined in their respective interfaces.

Test / Doc / Script

Added

• Missing ERC-2771 integration tests for MetaTx module.
• Script to compute ERC-165 interface IDs (npm run erc165:interfaceId).

Changed

• Update Solidity version to 0.8.34 in Hardhat config file.

Acknowledge

We would like to thank @amilazz, @Domson97, as well as CMTA Tech Comite for their valuable feedback and contributions to this release. Their input played an important role in improving the project, and we sincerely appreciate their support.

v3.2.0-rc2

Patch

Fix constant value and name for ERC-165 interface

v3.2.0-rc1

Smart contract

• Improve comment
• ValidationModule: Optimized code size by removing useless boolean returns
• Updating contract address comparisons.
• Add library to store interface id for RuleEngine and ERC-1404Extend

Test & Tools

• Add missing test for ERC-2771 functions _msgData
• Add script to compute ERC-165 interface for IRuleEngine and IERC1404Extend
• Add Claude code files

Acknowledge
We would like to thank @amilazz, @Domson97, as well as CMTA Tech Comite for their valuable feedback and contributions to this release. Their input played an important role in improving the project, and we sincerely appreciate their support.

v3.2.0-rc0

Note: This version has not been audited.

Added

• Support of ERC-7943 (#337).
• New dedicated deployment variant with DebtEngine support (see Removed section for rationale).
• IRuleEngine: ERC-165 support added (#342) to enable interface compliance checks.
• New base contract CMTATBaseAccessControl (#350).

Changed

• Transfer now reverts with specific errors when the contract is paused or deactivated (#338) to improve error clarity.
• The approve function now reverts when the contract is paused for all deployment variants except Light (#335).
• Update Solidity version to 0.8.33 in Hardhat config file.

Removed

• DocumentEngine and SnapshotEngine removed from constructors and initialization (#343) to simplify deployment and reduce bytecode size.
• DebtDeployment: DebtEngine support removed and moved to a dedicated deployment variant (#339) to reduce contract size and enable additional modules in DebtEngine-based deployments.

v3.1.0

This version is not audited

Known issue for this release:
M01. Double invocation of rule-engine compliance hook in cross-chain overrides #354
Operator/Spender Identity Lost in RuleEngine Hooks (burn/mint/cross-chain) (low)

Fixed

• Misleading NatSpec Comments
• Incorrect error parameters in _unfreezeTokens
• CMTATUpgradeableUUPS contract may be not initializable
• CMTATBaseAllowlist - Redundant State Checks
• Snpashot update - CEI pattern

Added

• New module CCIPModule with two functions getCCIPAdmin and setCCIPAdmin
  • Reason: it allows the CCIP admin to enable the CMTAT token in Chainlink CCIP, without the need of requesting assistance to Chainlink.
• Add explicit support of ERC-5679 for minting and burning
  • Reason: this ERC was already supported in v3.0.0 but not through a dedicated interface and ERC-165 identifier.
  • Details: IERC7551Burn and IERC7551Mint will inherits from respectively the burn and mint part of ERC-5679.
• In ERC7551Module, the function setTerms emits the Terms event
  • Reason: meet the specification of the draft ERC ERC-7551.
• Create specific module ERC20CrossChain for cross-chain transfers (ERC-7802 and other burn/mint related function), code previously put in CMTATBaseCrossChain.

Changed

• Rename BaseModule into VersionModule

  • Reason: This module contains only the CMTAT version. This avoid also the confusion with CMTAT Base modules.

• Access control: in wrapper modules, all access control is made through internal functions. These functions must be now implemented in CMTAT base module

  • Reason: this allows to use a different access control (e.g. ownership or Access Manager) by implementing a new CMTAT Base module without the need of modifying wrapper modules.

• Cross-Chain

  • Move cross-chain functionalities (ERC-7802) from CMTATBaseCrossChain to a new module ERC20CrossChain.
  • The allowance is no longer required to burn tokens to follow Optimism Superchain ERC20 and OpenZeppelin implementation
    See ERC20BridgeableUpgradeable.so & SuperchainERC20.sol. See issue 328#issuecomment-3455923837

Library

• Update Openzeppelin standard and upgradeable version to v5.5.0

Documentation (README)

• Reference the new draft version of ERC-7551
• Reference ERC-5679 as supported ERC by CMTAT
• Add section to explain cross-chain bridge support (Chainlink CCIP and ERC-7802 mainly)
• Add summary tab for CMTAT framework functionalities to help build CMTAT version for other blockchains
• Add audit reports made by Nethermind Audit Agents

Acknowledge
We would like to thank @amilazz, @Domson97, as well as CMTA Tech Comite for their valuable feedback and contributions to this release. Their input played an important role in improving the project, and we sincerely appreciate their support.

v3.0.0

Major release audited by Halborn

Known issues for this release:

• Misleading NatSpec Comments
• Incorrect error parameters in _unfreezeTokens
• CMTATUpgradeableUUPS contract may be not initializable
• CMTATBaseAllowlist - Redundant State Checks
• Snpashot update - CEI pattern
• Operator/Spender Identity Lost in RuleEngine Hooks (burn/mint/cross-chain) (low)

Difference with v.3.0.0 rc version:

• Improved comments and documentation
• See changelogs of the rc versions for details.

Main changes with the last audited release (v2.3.0):

Added

• Add support for several new ERC standard, including:
  • Tokenization: ERC-3643 (without on-chain identity), ERC-7551 (equivalence), ERC-1363 (deployment version), ERC-1643 (document management)
  • Technicals: ERC-7201 (proxy storage management), ERC-7802 (cross-chain transfers), ERC-1822 (UUPS / deployment version
• Add several functions to optimize contract call: ERC-3643 batchMint, ERC-3643 batchBurn, ERC-3643 batchTransfer (restricted)
• Rename some functions
  • burninstead of forceBurn
• Add ERC-3643 function forcedTransfer
• Add several new engines: DebtEngine, SnapshotEngine and DocumentEngine
• Add several new deployment version:
  • CMTAT Proxy and standalone
  • CMTAT for ERC-1363 (proxy and standalone)
  • CMTAT for deployment with UUPS proxy
  • CMTAT ERC-7551 for better compatibility with ERC-7551

Updated

• Update Solidity (0.8.30) & OpenZeppelin version (v.5.4.0)
• Update several function names to be compatible with ERC-3643

Acknowledge
We would like to thank @amilazz, as well as CMTA Tech Comite for their valuable feedback and contributions to this release. Their input played an important role in improving the project, and we sincerely appreciate their support.

v3.0.0-rc7

• Add missing compliance check (pause, address freeze and RuleEngine) for batchTransfer
  • Create a virtual function _minterTransferOverride in ERC20MintModule.
  • This function is then overridden in CMTATBaseCommon to perform the required check
• Add the same check for batchMint/batchBurnfor CMTAT core (light) version by updating CMTATBaseCore
• Add several tests to check these modification

v3.0.0-rc6

• Perform recommendations from the audit report (Halborn)
• Main change: add a new ERC-1404 code if the contract is deactivated