Tinyman Consensus Audit | Kevin Wellenzohn

In a previous engagement, Tinyman – a decentralized exchange on Algorand – hired us to audit their governance system. This time, Tinyman tasked us to audit their new consensus initiative, which is based on Algorand’s new node running program.

The Algorand blockchain consists of a distributed network of permissionless nodes where node runners can freely join at any time. Algorand is a proof-of-stake network where one’s ALGO holdings determines the probability to propose the next block. To incentive people to run nodes, Algorand switches to a new system of consensus rewards where a node receives a small financial reward (ALGO tokens) each time it is randomly (but verifiably) chosen by the network to propose the next block. Since the network topology plays an important role for the health of the network, the incentives are structured as to avoid too few big nodes (centralization risk) and many low-quality nodes that may be unreliable.

Tinyman’s consensus initiative allows ALGO holders to participate in consensus and earn a reward, which requires them to keep their ALGO on a node, while still remaining liquid, meaning that they can still use their ALGO to buy things, etc. They achieve this by releasing a new token tALGO that can be traded just like any other token.

Our task was to audit the contract that mints and burns tALGO tokens, i.e., that puts tALGOs in and out of circulation. Like last time, the code review was done in a peer reviewing manner where besides us also other engineers in the Algorand ecosystem audited the same code.

We found several critical problems in the contract that could be used to steal and/or lock users’ ALGO. Granted, it required elevated permissions (an admin account) to exploit these vulnerabilities, but not even an administrator should be able to steal/lock funds in such an application. Tinyman reacted swiftly and professionally to fix these issues.

Tinyman has an outstanding engineering team and they have yet again proven that they care deeply about their users’ security by running such a peer-reviewed security audit.

Resources: