Tinyman Governance Audit

Tinyman, which is the biggest decentralized exchange (DEX) on the Algorand blockchain, tasked us to audit their upcoming governance system. With this new system, Tinyman gradually hands over control of the Tinyman platform to their users who will be able vote on measures put forth by other community members. Users, called governors, receive newly minted TINY governance tokens that determine their voting power, also called TINY power.

Traditionally, well-known security auditors like Runtime Verification or Kudelski Security are hired to do a comprehensive security analysis of such systems before they are deployed. This time, Tinyman instead has decided to task a group of well-known developers in the Algorand ecosystem to audit their governance system for two reasons: (1) established auditors are very expensive, and (2) Algorand is a small ecosystem with novel technology that is not well known/understood by security auditors. Tinyman’s approach resembles more the peer reviewing process that is common in academia, where suitable researchers check the quality of the submitted work before it is published.

Our task was to review the proposed governance system that consists of four smart contracts written in the Tealish smart contract language, and summarize our findings in a audit report. After a thorough review we did not find any security-relevant issues in the code, though we made a number of informational findings for which we recommended ways to improve the code. For details, I’d encourage readers to look at the report.

In the past we did blackbox testing of smart contracts and found bugs that lead to bug bounties, but this was the first time that a company hired us to do a proper code audit. I would like to applaud Tinyman for being open-minded and choosing this peer reviewing process. While we are not trained auditors, I still believe that Tinyman’s decision to choose its peers as auditors makes a lot of sense.

Resources:

• Audit Report
• Tinyman Blog Post