At Tinyman, security and transparency are always at the forefront of our minds. We publish the source code of all of the contracts we deploy along with technical documentation so that any user of the protocol can independently understand and verify their workings. We understand however that most users do not have the interest or skills to verify these for themselves so they look to trusted third parties for guidance. For each significant system that we deploy we also commission an independent third party review of the code and publish their report on the process and their findings.
We believe third-party reviews are a critical part of the security, transparency, and decentralization objectives of this industry. However, we believe there is scope for alternative approaches to traditional audit firms that may be more effective for projects like Tinyman.
For the audit of the Tinyman Governance contracts, we decided to follow a peer review process with a diverse team of well-known expert Algorand developers. These developers all have a deep interest and understanding of both the technical and ecosystem context in which Tinyman Governance will operate.
The individuals involved in this audit were:
- Erik Hasselwander and Mariano Dominguez — Vestige Labs
- Gidon Katen — CTO of Folks Finance
- Kevin Wellenzohn — Co-Founder of Blockshake/Defly
- Steve Ferrigno (nullun) — a DevRel team member from the Algorand Foundation and an active Tinyman community member since the testnet launch
- D13, a well-known Algorand community member, now working at the Algorand Foundation
The purpose of this audit process is multifold. First and foremost we wanted a review of our code to ensure we didn’t make any errors while designing and implementing the system.
Secondly, we wanted third-party validation that the code is an honest good faith implementation of the documented system. This included making sure the code was readable and independently verifiable. We appreciate that the Tinyman team is highly respected and trusted in this space but one of the core tenets of our industry is Don’t Trust, Verify. We believe this should continuously be applied to all projects in the space.
Finally, we wanted independent reviews of the current state of decentralization and adherence to the ethos of DeFi as presented in this system. This governance system represents a step on the path towards complete decentralization for the Tinyman project and we believe that it is important for all participants in the project and community to understand where we are on that path. For this reason, we specifically asked the review team to critically assess and report on the level of centralization and permissioned aspects of the current system.
The scope of the audit included the contracts written in Tealish, the generated Teal code and the documentation. It did not include any UIs or SDKs.
The process involved weekly meetings with the members of the review team and two members of the Tinyman development team over 6 weeks. During these meetings, they discussed code details, audit methodology, and findings to date. The process was explicitly non-competitive and members shared their findings freely to stimulate discussion and investigation. At the end of the process, each team member produced a separate report documenting their approach to the audit and any findings and recommendations. Links to these are provided below.
The review team members were compensated (in USDC from Tinyman development funds) for the considerable time and effort that they put into this process.
We were pleased to note that no critical issues were identified but thankful for the recommendations on a number of low and informational issues. We responded to all issues raised in the reports and made changes based on the recommendations where it was deemed necessary and safe to do so without introducing new risks. A summary of all issues, recommendations and responses is linked below.
The comments from the reviewers undoubtedly helped improve the quality and clarity of the code and documentation. Their own documentation of their exploration of the code will also serve as a valuable guide for others who wish to understand the system in detail.
We would like to thank the review team members for their diligent efforts and for supporting this novel process. It is a testament to the strength and maturity of the Algorand development community that this process was possible and completed so professionally. We intend to follow this process for upcoming releases for Tinyman and hope that this can evolve into a robust decentralized review process as the project decentralizes further. We would also encourage other Algorand ecosystem projects to follow our lead on this.
Source Code & Specification Doc
The contract source code and documentation of the system covered in this audit are publicly available here: https://github.com/tinymanorg/tinyman-governance
Reports
- Erik Hasselwander and Mariano Dominguez — Vestige Labs
- Gidon Katen — Folks Finance
- Kevin Wellenzohn — Blockshake/Defly
- Steve Ferrigno (nullun) — Algorand Foundation
- D13 — Algorand Foundation
Appendix: Summary of Findings & Responses
This doc summarizes the findings of all the reviewers and includes our responses and references to remediations where necessary.
Find us on our community channels:
Tinyman App
Governance Forum
Discord
Telegram
Twitter
Reddit
Website
Youtube
