Smart contract security
The TRAT token contract is the anchor of the whole ecosystem — and it's intentionally boring. No upgradeable proxy layer. No admin functions that can move, mint, or burn user tokens. No pausing mechanism. Just a well-audited-pattern ERC-20 compiled with a modern Solidity version under an MIT license.
Contract identifiers
| Current contract | 0x35bC519E9fe5F04053079e8a0BF2a876D95D2B33 |
|---|---|
| Compiler | Solidity v0.8.26+commit.8a97fa7a |
| License | MIT |
| Standard | ERC-20 (EIP-20) |
| Verification | Exact Match on Etherscan |
| Source mirror | github.com/TratokToken/smart-contracts |
Deprecated contracts
Two earlier contract versions exist on-chain labelled "Old Tratok Token." They remain visible as historical reference but should never be transacted with today. If a wallet, DEX, or exchange shows "TRAT" at one of these addresses, it's not the active token:
0x0cbc9b02b8628ae08688b5cc8134dc09e36c443b(v1)0xe225aca29524bb65fd82c79a9602f3b4f9c6fe3f(v2)
Bridge security
The Tratok Bridge uses a lock-and-mint architecture between Ethereum and Binance Smart Chain. Every wTRAT in circulation is backed 1:1 by TRAT locked in the Ethereum-side vault — a supply conservation invariant that can be verified on-chain at any time.
Custody model
- Multi-sig: no single relayer can unilaterally mint or release funds
- Observable relayer set: every relayer's address is public
- Supply invariant: wTRAT on BSC ≤ TRAT locked in Ethereum vault
- Audited: "Secured by smart contract · Audited & verified" per the bridge landing page
Bridge risk is real
Cross-chain bridges are historically among the highest-risk components in the crypto stack — several major bridges have suffered multi-hundred-million-dollar exploits across the industry. The Tratok Bridge uses a well-studied pattern (lock-and-mint + multi-sig) but no bridge design eliminates systemic risk entirely. Move amounts you're comfortable with, and consider batching to minimise exposure windows.
Bug bounty programme
Tratok operates an ongoing, funded bug bounty programme. Security researchers are invited to probe the full stack under responsible-disclosure rules.
In scope
Smart contracts
- TRAT token contract
- Bridge vault + minter
- Booking escrow contracts
- Any auxiliary production contracts deployed by Tratok Holding Limited
Web / platform surfaces
- tratok.com
- hospitality.tratok.net
- developer.tratok.net
- corporate.tratok.net
- bridge.tratok.com
Infrastructure
- API endpoints (Tratok Labs)
- Authentication surfaces
- Wallet integration flows
Out of scope
- Third-party services (Etherscan, BitMart, etc.)
- Social-engineering of staff
- Denial-of-service attacks
- Physical security
- Issues in deprecated contract versions
How to report
- Don't publicly disclose. Submit privately first.
- Email security@tratok.com with a clear write-up: affected component, impact, steps to reproduce, proof-of-concept.
- If the issue involves a smart-contract exploit, include on-chain evidence (tx hash, block number, replay steps).
- Wait for acknowledgement (targeted 48 hours) and coordinate disclosure timing.
Rewards
Rewards are severity-graded and paid in TRAT at a current market reference. Severity classification follows common CVSS / CWE patterns with crypto-specific criteria (e.g., ability to move or drain user funds = critical). Payouts vary with impact and quality of the report.
What we ask
- No unauthorised access to systems you don't have the right to test
- No data exfiltration beyond the minimum needed to prove the issue
- Don't disclose before we've had a reasonable window to respond and fix
- One report per issue (keep the thread clean)
- Sign reports with a consistent PGP key or Keybase identity if you'd like us to build trust over time
Good faith gets you far
Researchers acting in good faith will never be pursued legally for in-scope testing. We've built this programme because we value the community that keeps us honest.
Wallet safety for TRAT holders
The most common way crypto holders lose funds isn't smart-contract bugs — it's social engineering, phishing, and key mismanagement. A short checklist:
1. Verify the contract address, every time
The current active TRAT contract is 0x35bC519E9fe5F04053079e8a0BF2a876D95D2B33. When adding TRAT to a wallet, swapping on a DEX, or approving an allowance, always cross-check against Etherscan.
2. Protect your seed phrase
- Never type your seed phrase into a website, form, or chat
- Never share it with "support staff" — no legitimate service asks for it
- Store it offline (paper, metal backup) in a secure location
- Consider a hardware wallet (Ledger, Trezor) for significant balances
3. Beware of impersonators
Scammers frequently impersonate crypto projects on Telegram, X/Twitter, and Discord. Tratok team members will never DM you first offering help, asking for wallet addresses, seed phrases, or "verification" transactions. If anyone claims to be Tratok support and messages you first, they aren't.
4. Check allowances regularly
When you approve a smart contract to spend your tokens (for swaps, bridges, etc.), the allowance can persist indefinitely. Tools like revoke.cash or Etherscan's token approval checker let you review and revoke unused approvals.
5. Only use official domains
These are the only official Tratok properties:
tratok.com· main sitetratok.info· this info repositoryhospitality.tratok.net· operator platformdeveloper.tratok.net· developer portalcorporate.tratok.net· corporate deskbridge.tratok.com· cross-chain bridge
Anything else claiming to be "Tratok" is suspect. Typosquats like tratok-io, tratoks, tratokswap, etc. are common phishing patterns.
6. Simulate before you sign
Modern wallets (MetaMask, Rabby) preview the effects of a transaction before you sign. Read the preview. If it's trying to transfer far more than you expected or grant unlimited allowances to an unknown address, reject.
Incident response
If a security-relevant event happens on the Tratok platform, Tratok Holding Limited publishes a post-mortem describing what happened, what was affected, what's been done, and what's changing. We'd rather be early and transparent than quiet and late.
Security contact
For vulnerability reports: security@tratok.com · 48-hour response target · PGP key available on request.
For general security questions (not vulnerability reports): post on the Telegram or Reddit community channels.