Cover Image for Securing Canton: What Institutional Smart Contract Audits Actually Catch
Cover Image for Securing Canton: What Institutional Smart Contract Audits Actually Catch
Avatar for QuillAudits Events
Presented by
QuillAudits Events

Securing Canton: What Institutional Smart Contract Audits Actually Catch

Virtual
Registration
Past Event
Welcome! To join the event, please register below.
About Event

Canton has quietly become the settlement layer for institutional finance. Over 600 institutions are now on the network, with roughly 6 trillion dollars in tokenized assets moving across it. Broadridge settles more than 350 billion dollars in daily repo on Canton, DTCC is tokenizing US Treasuries there, and JPMorgan is bringing JPM Coin onto the network in phases through 2026. HSBC, Goldman Sachs, BNP Paribas, Euroclear, and Lloyds are all live or piloting.

All of that value runs on Daml, not Solidity. And that changes what an audit has to look for. A decade of Ethereum security tooling, the static analyzers, the fuzzers, the standard checklists, was built for a different model and mostly does not apply. Daml removes entire classes of EVM bugs by design: no reentrancy, no gas, no delegatecall. That is exactly what lulls teams into assuming Canton contracts are safe by construction. The risk did not disappear. It moved to an attack surface most audit tools were never built to see.

A valid authorization confirms who is allowed to act. It says nothing about whether a specific mint, burn, whitelist change, or contract upgrade should have been allowed. On Canton, that question is answered structurally, inside the contract's own authorization model, and it is the single most overlooked layer in institutional deployments.

In this Space, Anu breaks down what institutional Daml audits actually catch, with real examples:

  • The authorization model. Signatory and controller design, and the critical bug pattern where a bilateral action like settlement, transfer, or upgrade is modeled with a single controller when the business requires two-party agreement.

  • Privacy and disclosure leaks. How observer lists, divulgence, and interface usage can quietly expose who holds what, position sizes, or counterparty identity, and why a wrong observer list on a tokenized bond can hand your book to a competitor.

  • Business logic and invariant gaps. Ensure clauses that do not fully constrain state, contract-key assumptions that break under concurrency, and choices that can be exercised in an unintended order.

  • Composability risk on the Global Synchronizer. Why a contract that is correct in isolation can behave differently when it settles atomically against another app: a tokenized Treasury as collateral, a deposit token as the payment leg, a repo platform for financing, all in one privacy-preserving transaction.

  • Where the audit ends and monitoring begins. Signer anomalies, governance proposals, timelock changes, and unusual admin activity after go-live.

Who this is for

Risk, compliance, and digital-asset teams at banks and financial institutions issuing or servicing tokenized assets, deposit tokens, or settlement apps on Canton. Daml developers, protocol leads, and security engineers moving from EVM into Canton. Anyone responsible for a live or upcoming Canton deployment who needs to know what a real institutional audit looks for before go-live.

Speaker: Anu, Senior Smart Contract Auditor at QuillAudits.

About QuillAudits

QuillAudits is a leading blockchain security firm with 1,500+ audits across chains and architectures. We go beyond checklist reviews with multi-layer, attacker-minded validation, economic attack-vector analysis rather than code review alone, plus continuous monitoring for signer anomalies, governance changes, and admin-function activity after launch.

Avatar for QuillAudits Events
Presented by
QuillAudits Events