Glossary

Smart Contracts

Self-executing programs deployed on distributed ledgers that automate the terms of tokenized securities — including profit distribution, redemption, compliance enforcement, and Sharia purification — subject to CMA security audit and Sharia board review requirements.

CMA Audit Requirement Mandatory

Approved Auditors 6 firms

Sharia Review Required

Annual Re-Audit Required

Definition

Smart contracts are self-executing programs deployed on distributed ledgers that automate the terms of tokenized securities — including profit distribution, redemption, compliance enforcement, and Sharia purification. In Saudi Arabia, smart contracts used for tokenized securities are subject to mandatory CMA security audit, Sharia board review, and annual re-audit requirements under the Securities Tokenization Standards.

How Smart Contracts Work in Tokenized Securities

A smart contract for a tokenized sukuk on Tadawul’s digital platform encodes the sukuk’s terms into executable code on R3 Corda. When predefined conditions are met — a profit distribution date arrives, a redemption trigger occurs, or a compliance threshold is breached — the smart contract executes automatically without human intervention.

Example: A tokenized ijarah (lease) sukuk smart contract:

Issuance: Creates tokens representing fractional ownership, distributes to investors via Edaa
Profit distribution: On each distribution date, calculates each holder’s share based on token balance, triggers SAR payment through payment token settlement
Compliance enforcement: Before each trade, verifies buyer meets CMA investor classification requirements (QI, SQI, retail)
Sharia monitoring: Continuously screens underlying asset pool against AAOIFI compliance criteria
Redemption: At maturity, calculates face value per token, distributes redemption proceeds, burns tokens

Saudi Regulatory Requirements

The CMA’s Securities Tokenization Standards impose specific requirements on smart contracts:

Mandatory Audit: All smart contracts deployed in production for tokenized securities must undergo security audit by one of 6 CMA-approved auditors. The audit must include formal verification (mathematical proof of correctness), vulnerability assessment (testing against known attack vectors), and gas/computation optimization (ensuring efficient execution on R3 Corda).

Sharia Board Review: Smart contracts encoding Sharia-compliant instruments must receive Sharia board approval confirming that the code faithfully implements the underlying Islamic finance contract. This review verifies that profit distribution calculations are Sharia-compliant, prohibited transaction types are correctly blocked, and Sharia purification mechanisms function as designed.

Emergency Pause: All production smart contracts must include a pause function controllable by the CMA. In the event of a security vulnerability, market disruption, or enforcement action, the CMA can halt smart contract execution to protect investors.

Upgradability: Smart contracts must support upgrades without disrupting existing token holders. The proxy pattern (separating contract logic from data storage) is the Saudi Blockchain Lab-recommended architecture. Upgrades require CMA notification and, for material changes, re-audit.

Annual Re-Audit: Production smart contracts require annual re-audit to assess continued security against evolving attack vectors, verify compatibility with protocol updates, and confirm ongoing Sharia compliance of automated logic.

Smart Contract Functions in Saudi Tokenized Securities

Function	Description	Regulatory Requirement
Token issuance	Creates new tokens on behalf of issuer	CMA disclosure compliance
Transfer restriction	Blocks transfers to non-eligible investors	Investor protection framework
Profit distribution	Automated periodic payments to holders	Accuracy audit required
Redemption	Returns face value at maturity	Edaa settlement integration
Sharia screening	Real-time compliance checking	Sharia board approval
AML/CFT screening	Transaction monitoring triggers	FATF Travel Rule integration
Corporate actions	Dividend adjustments, splits	CMA notification
Emergency pause	Halt all operations	CMA-controlled

Smart Contracts and DeFi

While decentralized finance (DeFi) smart contracts operate permissionlessly on public blockchains, Saudi tokenized securities smart contracts are fundamentally different — they operate on permissioned R3 Corda, include regulatory compliance logic, and are controllable by the CMA. The Saudi Blockchain Lab has published research distinguishing “permissioned smart contracts” for regulated financial instruments from public DeFi protocols.

Three CMA sandbox participants are exploring DeFi-inspired smart contract functionalities — automated market making, programmable yield distribution, and collateralized lending — within the permissioned, regulated environment.

Smart Contract Research

The Saudi Blockchain Lab and Saudi university research programs contribute to smart contract standards:

KFUPM formal verification methodology for financial smart contracts — cited as an acceptable audit methodology under CMA standards
King Saud University automated Sharia compliance encoding for Islamic finance contracts
KAUST post-quantum cryptographic security for long-duration smart contracts

These academic contributions are directly integrated into the CMA’s regulatory process — KFUPM’s formal verification methodology is accepted as an approved audit standard, and King Saud University’s Sharia encoding research informs the Sharia board’s technical review of smart contract logic for Islamic finance instruments listed on Tadawul’s digital platform.