We are delighted to announce the completion and publication of the audit of Tinyman’s contracts by Runtime Verification.
We engaged Runtime Verification early in the development process to get feedback on our contract’s design and once our code was finalized we began a formal review. The scope of the audit included the Pool Logic Signature Template (a stateless TEAL smart contract template) and the Validator Application (a stateful TEAL smart contract). The contracts were reviewed at a high level for business logic to ensure the AMM was implemented correctly and as documented. They were then further reviewed in detail to ensure the TEAL code was correct and did not contain any vulnerabilities.
The reviewers identified some important issues during this process and made a number of code improvement suggestions. Our team addressed these issues and a second-round audit was conducted to ensure the correctness of the updates.
We would like to highlight some of the summary points from the audit report (pages 2,3):
- The validator application (whose logic is given in validator_approval.teal and validator_clear_state.teal) is immutable once deployed, as the application’s “update” and “delete” operations are disallowed by the contract’s logic (regardless of the sender).
- The pool’s logic (given in pool_logicsig.tmpl.teal) ensures that the liquidity asset of any pool created through the protocol’s bootstrapping process is not revocable or freezable, and is not centrally managed by any account.
- There is no mechanism for any account (including the validator application Creator account) to close out a pool or remove funds from a pool.
These points highlight the fact that the Tinyman AMM contracts implement a fully permissionless and trustless protocol.
We would like to thank the Runtime Verification team for their insightful comments and suggestions that have helped improve the Tinyman AMM protocol. We look forward to working with Runtime Verification again in the future as we continue the development of Tinyman.
The audit report can be found here in Runtime Verification’s repository.
The contracts referred to by this audit report are published on Tinyman’s Github here.