Note: This version has not been audited.

Smart contract

Added

• Support of ERC-7943 (#337):
  • New functions setFrozenTokens and canTransact in the enforcement module.
  • New error ERC7943InsufficientUnfrozenBalance in ERC20EnforcementModule.
  • Emit ERC-7943 enforcement events (TokensFrozen, TokensUnfrozen).
  • ERC-7943 ERC-165 interface ID support.
• New dedicated deployment variant with DebtEngine support (see Removed section for rationale).
• IRuleEngine: ERC-165 support added (#342) to enable interface compliance checks.
  • New interface IRuleEngineERC1404 inheriting from both IERC1404Extend and IRuleEngine.
  • Library contracts RuleEngineInterfaceId and ERC1404ExtendInterfaceId to store ERC-165 interface IDs.
• New base contract CMTATBaseAccessControl (#350).

Changed

• Transfer now reverts with specific errors when the contract is paused or deactivated (#338) to improve error clarity.
• The approve function now reverts when the contract is paused for all deployment variants except Light (#335).
• ValidationModule: Optimized code size by removing useless boolean returns.
• Updating contract address comparisons (Solidity v3.2.0).
• Replaced CMTAT library errors with ERC-7943 specific errors.
• Renamed custom errors for consistency.

Fixed

• Wake Arena audit (M1/M2/M3): Removed redundant CMTATBaseRuleEngine._checkTransferred calls in CMTATBaseERC20CrossChain._mintOverride, _burnOverride, and _minterTransferOverride. The rule-engine compliance hook was being executed twice per operation; the single authoritative call in the CMTATBaseCommon parent overrides is now sufficient. #354
• Wake Arena audit (I1): Corrected NatSpec comment in CMTATBaseERC20CrossChain._authorizeSelfBurn which incorrectly referenced BURNER_FROM_ROLE instead of BURNER_SELF_ROLE.

NatSpec / Comments

• Wake Arena audit (L1): Added clarifying comment in ERC20BaseModule.transferFrom and updated IERC20Allowance.Spend event NatSpec to state that the event is not emitted when the allowance is infinite (type(uint256).max), as no deduction occurs in that case.
• Wake Arena audit (L2): Added NatSpec warning on approve in CMTATBaseAllowlist documenting the standard ERC-20 allowance race condition and advising callers to set the allowance to zero before assigning a new non-zero value.

Removed

• DocumentEngine and SnapshotEngine removed from constructors and initialization (#343) to simplify deployment and reduce bytecode size.
• DebtDeployment: DebtEngine support removed and moved to a dedicated deployment variant (#339) to reduce contract size and enable additional modules in DebtEngine-based deployments.
• CMTAT Errors library removed, errors are now defined in their respective interfaces.

Test / Doc / Script

Added

• Missing ERC-2771 integration tests for MetaTx module.
• Script to compute ERC-165 interface IDs (npm run erc165:interfaceId).

Changed

• Update Solidity version to 0.8.34 in Hardhat config file.

Acknowledge

We would like to thank @amilazz, @Domson97, as well as CMTA Tech Comite for their valuable feedback and contributions to this release. Their input played an important role in improving the project, and we sincerely appreciate their support.

Patch

Fix constant value and name for ERC-165 interface

Smart contract

• Improve comment
• ValidationModule: Optimized code size by removing useless boolean returns
• Updating contract address comparisons.
• Add library to store interface id for RuleEngine and ERC-1404Extend

Test & Tools

• Add missing test for ERC-2771 functions _msgData
• Add script to compute ERC-165 interface for IRuleEngine and IERC1404Extend
• Add Claude code files

Acknowledge
We would like to thank @amilazz, @Domson97, as well as CMTA Tech Comite for their valuable feedback and contributions to this release. Their input played an important role in improving the project, and we sincerely appreciate their support.

Note: This version has not been audited.

Added

• Support of ERC-7943 (#337).
• New dedicated deployment variant with DebtEngine support (see Removed section for rationale).
• IRuleEngine: ERC-165 support added (#342) to enable interface compliance checks.
• New base contract CMTATBaseAccessControl (#350).

Changed

• Transfer now reverts with specific errors when the contract is paused or deactivated (#338) to improve error clarity.
• The approve function now reverts when the contract is paused for all deployment variants except Light (#335).
• Update Solidity version to 0.8.33 in Hardhat config file.

Removed

• DocumentEngine and SnapshotEngine removed from constructors and initialization (#343) to simplify deployment and reduce bytecode size.
• DebtDeployment: DebtEngine support removed and moved to a dedicated deployment variant (#339) to reduce contract size and enable additional modules in DebtEngine-based deployments.

This version is not audited

Known issue for this release:
M01. Double invocation of rule-engine compliance hook in cross-chain overrides #354

Fixed

• Misleading NatSpec Comments
• Incorrect error parameters in _unfreezeTokens
• CMTATUpgradeableUUPS contract may be not initializable
• CMTATBaseAllowlist - Redundant State Checks
• Snpashot update - CEI pattern

Added

• New module CCIPModule with two functions getCCIPAdmin and setCCIPAdmin
  • Reason: it allows the CCIP admin to enable the CMTAT token in Chainlink CCIP, without the need of requesting assistance to Chainlink.
• Add explicit support of ERC-5679 for minting and burning
  • Reason: this ERC was already supported in v3.0.0 but not through a dedicated interface and ERC-165 identifier.
  • Details: IERC7551Burn and IERC7551Mint will inherits from respectively the burn and mint part of ERC-5679.
• In ERC7551Module, the function setTerms emits the Terms event
  • Reason: meet the specification of the draft ERC ERC-7551.
• Create specific module ERC20CrossChain for cross-chain transfers (ERC-7802 and other burn/mint related function), code previously put in CMTATBaseCrossChain.

Changed

• Rename BaseModule into VersionModule

  • Reason: This module contains only the CMTAT version. This avoid also the confusion with CMTAT Base modules.

• Access control: in wrapper modules, all access control is made through internal functions. These functions must be now implemented in CMTAT base module

  • Reason: this allows to use a different access control (e.g. ownership or Access Manager) by implementing a new CMTAT Base module without the need of modifying wrapper modules.

• Cross-Chain

  • Move cross-chain functionalities (ERC-7802) from CMTATBaseCrossChain to a new module ERC20CrossChain.
  • The allowance is no longer required to burn tokens to follow Optimism Superchain ERC20 and OpenZeppelin implementation
    See ERC20BridgeableUpgradeable.so & SuperchainERC20.sol. See issue 328#issuecomment-3455923837

Library

• Update Openzeppelin standard and upgradeable version to v5.5.0

Documentation (README)

• Reference the new draft version of ERC-7551
• Reference ERC-5679 as supported ERC by CMTAT
• Add section to explain cross-chain bridge support (Chainlink CCIP and ERC-7802 mainly)
• Add summary tab for CMTAT framework functionalities to help build CMTAT version for other blockchains
• Add audit reports made by Nethermind Audit Agents

Acknowledge
We would like to thank @amilazz, @Domson97, as well as CMTA Tech Comite for their valuable feedback and contributions to this release. Their input played an important role in improving the project, and we sincerely appreciate their support.

Major release audited by Halborn

Known issues for this release:

• Misleading NatSpec Comments
• Incorrect error parameters in _unfreezeTokens
• CMTATUpgradeableUUPS contract may be not initializable
• CMTATBaseAllowlist - Redundant State Checks
• Snpashot update - CEI pattern

Difference with v.3.0.0 rc version:

• Improved comments and documentation
• See changelogs of the rc versions for details.

Main changes with the last audited release (v2.3.0):

Added

• Add support for several new ERC standard, including:
  • Tokenization: ERC-3643 (without on-chain identity), ERC-7551 (equivalence), ERC-1363 (deployment version), ERC-1643 (document management)
  • Technicals: ERC-7201 (proxy storage management), ERC-7802 (cross-chain transfers), ERC-1822 (UUPS / deployment version
• Add several functions to optimize contract call: ERC-3643 batchMint, ERC-3643 batchBurn, ERC-3643 batchTransfer (restricted)
• Rename some functions
  • burninstead of forceBurn
• Add ERC-3643 function forcedTransfer
• Add several new engines: DebtEngine, SnapshotEngine and DocumentEngine
• Add several new deployment version:
  • CMTAT Proxy and standalone
  • CMTAT for ERC-1363 (proxy and standalone)
  • CMTAT for deployment with UUPS proxy
  • CMTAT ERC-7551 for better compatibility with ERC-7551

Updated

• Update Solidity (0.8.30) & OpenZeppelin version (v.5.4.0)
• Update several function names to be compatible with ERC-3643

Acknowledge
We would like to thank @amilazz, as well as CMTA Tech Comite for their valuable feedback and contributions to this release. Their input played an important role in improving the project, and we sincerely appreciate their support.

• Add missing compliance check (pause, address freeze and RuleEngine) for batchTransfer
  • Create a virtual function _minterTransferOverride in ERC20MintModule.
  • This function is then overridden in CMTATBaseCommon to perform the required check
• Add the same check for batchMint/batchBurnfor CMTAT core (light) version by updating CMTATBaseCore
• Add several tests to check these modification

• Perform recommendations from the audit report (Halborn)
• Main change: add a new ERC-1404 code if the contract is deactivated

• Add & improve Solidity Natspec comment
  -- Few improvement as a result (e.g rename return variables)
• Improve & update documentation

• Fix typo for IERC3643IComplianceContract
  -- IERC3743IComplianceContract -> IERC3643IComplianceContract

• CMTATBaseERC20CrossChain:
  Put events before internal functions calls mintOverrideand burnOverride(avoid reentrancy-events)