Security and Audits

Trust-minimized architecture, Certora audits, and risk disclosures

Security on Umia starts at the architecture, not at a policy. The system is designed so that the answer to "what if the team goes rogue?" is structural: the team never has custody or unilateral control of funds, disbursements follow rules, and strategic decisions are validated by markets before they execute. Everything else on this page (audits, disclosure, operational hygiene) builds on that foundation.

Trust-Minimized by Design

  • Noncustodial treasury. Auction proceeds live in an onchain treasury contract. The operating team draws a pre-approved monthly budget; anything beyond it requires a governance decision. There is no admin path from the team to the funds.
  • Rule-based disbursements. Payments and unlocks (including team vesting via MetaVesT) execute according to onchain schedules and conditions, not discretion.
  • Market-validated decisions. Strategic actions pass through decision markets before execution, and a resolved decision binds the team legally (see the Legal Framework). Even governance itself is not a trust-me system.

Audits

Umia's smart contracts are audited by Certora, Umia's primary security partner and one of the leading security firms in the industry.

Certora Security Assessment (April 2026)

Certora performed a manual, line-by-line review of Umia's full contract surface from March 6 to April 8, 2026: the Hub and launch contracts, the auction and its migration into Uniswap v4, the treasury with its allowance and disbursement logic, decision-market settlement and its TWAP oracle, governance execution, and vesting. The assessment combined design-level threat modeling against the protocol's core invariants (funds move only through resolved markets or pre-configured disbursements, winning outcomes are determined correctly from the TWAP, supply changes only through governance, access controls cannot be bypassed) with implementation analysis, and concluded with a follow-up review of the applied fixes.

At a high level:

  • 20 findings: no critical, 2 high, 5 medium, 11 low, 2 informational.
  • 17 of the 20 are fixed, with the fixes verified by Certora in a follow-up review. Both high-severity issues (settlement-related) are among the fixed and verified.
  • The remaining 3 are acknowledged: accepted-risk items tied to trust assumptions the protocol already discloses by design, including the platform-level owner role that sits behind early-phase supervision (see Noncustodial Treasury).

Umia Extension and zkTLS Security

The Umia Extension generates eligibility proofs client-side, built on the Reclaim Protocol. What the proof guarantees: that a specific criterion was verified against a live TLS session with the data source. What it doesn't do: credentials, account contents, and identity never leave the participant's browser, are never linked to the wallet onchain, and are never held by Umia or the project.

Risk Disclosures

Smart contracts can have bugs, audits reduce risk but don't eliminate it; token markets carry market and liquidity risk; and decision markets are an experimental governance mechanism whose behavior at scale is still being proven. Projects launching on Umia and participants interacting with them should understand all three. This section pairs with the legal disclosures in the launch documents; nothing here is a guarantee of safety or performance.

Operational Security for Founders

The architecture removes custody risk from your community, but founders still hold keys that matter: the Operator signing key, and your multisig signers.

  • Use hardware signers for every multisig participant; pick a signer count and threshold that survive one lost or compromised key.
  • Treat the wallet that signed your legal pack as high-value: it's your identity as Operator.
  • Phishing will target your launch: fake extensions, fake CLI packages, fake auction pages. Link only from your official channels, verify the extension ID, and assume anything DMed to you is hostile.
  • Rotate and document access when team members change; the SubCo's records obligations make this a legal matter, not just hygiene.

Reporting Vulnerabilities

If you discover a potential vulnerability in Umia's smart contracts or platform, please contact the team at security@umia.finance.

Responsible Disclosure

Responsible disclosure is appreciated and may be eligible for a bug bounty.