Our team performed a security audit for Amalgamated Token Services Inc. of the CoinList Token Sale Fund, a custodial smart contract used to manage user contributions during token sale events. The contract temporarily holds user funds, enables backend-controlled commitment and refund flows, and allows the final distribution of collected assets to a designated sale partner once all refunds are completed.

The system relies on role-based access control to separate committing, remitting, and ownership responsibilities, and is designed to support ERC-20 token contributions under strict operational assumptions. It incorporates internal accounting of committed and remitted balances, and administrative controls for managing privileged roles and final fund transfers.

In addition to the code review, we conducted a full threat modeling exercise covering on-chain contracts, backend systems, privileged operators, and external token dependencies.

During the audit, we identified several minor and informational issues related to trust assumptions, operational edge cases, and best practices. All resolved issues were fixed and verified, while the remaining findings were acknowledged by CoinList as acceptable within their security and governance model. Read the full audit report.

“Oak Security has been a great partner from day 1. They are very flexible, always open to communication, and able to support all our needs. Highly recommend them.”- Matt Delacour, CTO, CoinList

Get a quote for your project, schedule a call with our team, follow us on X, and sign up for our newsletter for simplified and curated Web3 security insights.