Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
polymath-core
Advanced tools
The Polymath Core smart contracts provide a system for launching regulatory-compliant securities tokens on a decentralized blockchain. This particular repository is the implementation of a system that allows for the creation of ST-20-compatible tokens. This system has a modular design that promotes a variety of pluggable components for various types of issuances, legal requirements, and offering processes.
An ST-20 token is an Ethereum-based token implemented on top of the ERC-20 protocol that adds the ability for tokens to control transfers based on specific rules. ST-20 tokens rely on Transfer Managers to determine the ruleset the token should apply in order to allow or deny a transfer, be it between the issuer and investors, in a peer to peer exchange, or a transaction with an exchange.
ST-20 tokens must implement a verifyTransfer
method which will be called when attempting to execute a transfer
or transferFrom
method. The verifyTransfer
method will determine whether that transaction can be completed or not. The implementation of verifyTransfer
can take many forms, but the default approach is a whitelist controlled by the GeneralTransferManager
.
contract IST20 {
// off-chain hash
bytes32 public tokenDetails;
//transfer, transferFrom must respect the result of verifyTransfer
function verifyTransfer(address _from, address _to, uint256 _amount) view public returns (bool success);
//used to create tokens
function mint(address _investor, uint256 _amount) public returns (bool success);
}
The diagram below depicts a high-level view of the various modules, registries, and contracts implemented in Polymath Core:
SecurityToken
is an implementation of the ST-20 protocol that allows the addition of different modules to control its behavior. Different modules can be attached to SecurityToken
:
GeneralTransferManager
module attached in order to determine if transfers should be allowed based on a whitelist approach. The GeneralTransferManager
behaves differently depending who is trying to transfer the tokens.
a) In an offering setting (investors buying tokens from the issuer) the investor's address should be present on an internal whitelist managed by the issuer within the GeneralTransferManager
.
b) In a peer to peer transfer, restrictions apply based on real-life lockups that are enforced on-chain. For example, if a particular holder has a 1-year sale restriction for the token, the transaction will fail until that year passes.SecurityToken
can be attached to one (and only one) STO module that will dictate the logic of how those tokens will be sold/distributed. An STO is the equivalent to the Crowdsale contracts often found present in traditional ICOs.The ticker registry manages the sign up process to the Polymath platform. Issuers can use this contract to register a token symbol (which are unique within the Polymath network). Token Symbol registrations have an expiration period (7 days by default) in which the issuer has to complete the process of deploying their SecurityToken. If they do not complete the process in time, their ticker symbol will be made available for someone else to register.
The security token registry keeps track of deployed STs on the Polymath Platform and uses the TickerRegistry to allow only registered symbols to be deployed.
Modules allow custom add-in functionality in the issuance process and beyond. The module registry keeps track of modules added by Polymath or any other users. Modules can only be attached to STs if Polymath has previously verified them. If not, the only user able to utilize a module is its owner, and they should be using it "at their own risk".
First, assure that you have setup Polymath Core properly.
The Polymath CLI (Command Line Interface) commands are operated from a *nix command prompt (unix or mac).
To use it, make sure you are connected to a full ethereum node (or locally to ganache-cli
, a local private test network).
You can run Parity with the following command to get started (make sure the node is fully synced before using the CLI tool):
parity --chain ropsten --rpcapi "eth,net,web3,personal,parity" --unlock YOUR_ETH_ACCOUNT --password $HOME/password.file
If you are working on a local private network, you should run the faucet command to get Poly necessary to pay fees for the other commands.
node CLI/polymath-cli faucet
The ST-20 Generator command is a wizard-like script that will guide technical users in the creation and deployment of an ST-20 token.
CLI/commands/helpers/contract_addresses.js
to make sure scripts are pointing to the correct contract addressesnode CLI/polymath-cli st20generator
Y
and it will update a whitelist with them and then tokens will be issued.
Make sure the whitelist_data.csv
and multi_mint_data.csv
files are present in the data folder and fulfilled with the right information.node CLI/polymath-cli st20generator
command again and enter the token symbol to see the STO's live-progress.After starting the STO you can run a command to mass-update a whitelist of allowed/known investors.
Make sure the whitelist_data.csv
file is present in the data folder.
The command takes 2 parameters:
node CLI/polymath-cli whitelist TOKEN_SYMBOL [BATCH_SIZE]
Before starting the STO you can run a command to distribute tokens to previously whitelisted investors.
Make sure the multi_mint_data
file is present in the data folder.
The command takes 2 parameters:
node CLI/polymath-cli multi_mint TOKEN_SYMBOL [BATCH_SIZE]
You can run the invest command to participate in any STO you have been whitelisted for. The script takes 3 parameters:
node CLI/polymath-cli invest TOKEN_SYMBOL BENEFICIARY ETHER
You can run the transfer command to transfer ST tokens to another account (as long as both are whitelisted and have been cleared of any lockup periods).
node CLI/polymath-cli transfer TOKEN_SYMBOL ACCOUNT_TO AMOUNT
You can run the module manager command to view all the modules attached to a token and their status. You will be asked for a token symbol.
node CLI/polymath-cli module_manager
Contract | Address |
---|---|
TickerRegistry: | 0xf1b64cd44f8da99b518ec530bf8c0d5a04c7dbda |
SecurityTokenRegistry: | 0x26142ca417b712379f0e52ffa906492515db891a |
ModuleRegistry: | 0x4785fbc411af7afc407c1182ac1b67594af62afa |
CappedSTOFactory: | 0xb9e520dc268fd4af75b2aeab37b5e6eef810f872 |
EthDividendsCheckpointFactory: | 0xe8300d08eb5022d60ee6ff0947367cebc9f6b63c |
TORO V1.2.0 Token: | 0x2573D0946810da2C95B3A63cB4c8cc3aF0E95723 |
TORO V1.2.0 CappedSTO: | 0xCB1F57bf24b32466116eD5f359595a5BEba7A166 |
The smart contracts are written in Solidity and tested/deployed using Truffle version 4.1.0. The new version of Truffle doesn't require testrpc to be installed separately so you can just run the following:
# Install Truffle package globally:
$ npm install -g truffle
# Install local node dependencies:
$ npm install
To test the code simply run:
$ npm run test
Deploy ModuleRegistry
. ModuleRegistry
keeps track of all available modules that add new functionalities to
Polymath-based security tokens.
Deploy GeneralTransferManagerFactory
. This module allows the use of a general TransferManager
for newly issued security tokens. The General Transfer Manager gives STs the ability to have their transfers restricted by using an on-chain whitelist.
Add the GeneralTransferManagerFactory
module to ModuleRegistry
by calling ModuleRegistry.registerModule()
.
Deploy TickerRegistry
. This contract handles the registration of unique token symbols. Issuers first have to claim their token symbol through the TickerRegistry
. If it's available they will be able to deploy a ST with the same symbol for a set number of days before the registration expires.
Deploy SecurityTokenRegistry. This contract is responsible for deploying new Security Tokens. STs should always be deployed by using the SecurityTokenRegistry.
Security Token Offerings (STOs) grant STs the ability to be distributed in an initial offering. Polymath offers a few out-of-the-box STO models for issuers to select from and, as the platform evolves, 3rd party developers will be able to create their own offerings and make them available to the network.
As an example, we've included a CappedSTO
and CappedSTOFactory
contracts.
In order to create a new STO, developers first have to create an STO Factory contract which will be responsible for instantiating STOs as Issuers select them. Each STO Factory has an STO contract attached to it, which will be instantiated for each Security Token that wants to use that particular STO.
To make an STO available for Issuers, first, deploy the STO Factory and take note of its address. Then, call moduleRegistry.registerModule(STO Factory address);
Once the STO Factory has been registered to the Module Registry, issuers will be able to see it on the Polymath dApp and they will be able to add it as a module of the ST.
Note that while anyone can register an STO Factory, only those "approved" by Polymath will be enabled to be attached by the general community. An STO Factory not yet approved by Polymath may only be used by it's author.
The polymath-core repo follows the Solidity style guide.
FAQs
Polymath Network Core Smart Contracts
The npm package polymath-core receives a total of 22 weekly downloads. As such, polymath-core popularity was classified as not popular.
We found that polymath-core demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.