Algorand-Based DeFi ...

Algorand-Based DeFi Platform ‘Tinyman’ Exploited for $3 Million

By José Oramas January 05, 2022 In Crypto News, DeFi, Hackers

The DeFi space has already had its first breach this year as Tinyman, an Algorand-based decentralised trading platform, was hacked and drained for roughly US$3 million.

On January 1, Tinyman announced via its Twitter account that its platform had been compromised, saying it had pulled the remaining liquidity from Tinyman on the TINY token. The platform has advised its community to withdraw their funds as the exploit is ongoing:

Any lost funds after the next 24 hours (9 am UTC on the 4th of January) will be the responsibility of the users as there is nothing we can do to stop this event, the responsibility of the remaining assets are in the wallet owners' hands.
— tinyman.algo (@tinymanorg) January 3, 2022

How the Breach Took Place

As per the investigation, the attackers managed to exploit various vulnerabilities in the platform’s smart contracts, giving them access to various liquidity pools. They started interacting with the targeted pools and swapped a portion of their funds to acquire ASAs, causing price instability in the following hours.

The attacker exploits an unknown bug in the burning of pool tokens and receives two of the same assets instead of two different assets. This worked in favour of the attacker since the gobtc asset was significantly more valuable than ALGO, which they immediately swapped against ALGO to receive more funds to continue their attack.

Advertisement

Tinyman blog post

The team behind Tinyman said that they were unable to block ongoing transactions on the blockchain as the contracts are permissionless. The first step, however, was to pull all of the liquidity from all Tinyman contracts and return it once the platform is clear of any attacks.

2- The attack has been executed on multiple pools until now. The financial incentive for the attack varies from pool to pool so not all pools have been attacked.

As a trustless protocol Tinyman uses immutable contracts.
— tinyman.algo (@tinymanorg) January 2, 2022

Another Day, Another Hack

DeFi protocols are always at risk of suffering smart contract exploitations on their platforms, or similar attacks such as security breaches or DoS (Denial of Service). As expected, each platform’s token drops massively after the liquidity pools are drained, leaving a wide cut on investors’ pockets.

In December 2021, the crypto community saw DeFi marketplace MonoX hacked for US$31 million, one of the largest hacks in that month. Two months earlier, Indexed Finance suffered its first hack, with US$16 million drained out of their two pools.

Author

José Oramas

José is a journalist and translator with a keen interest in blockchain and cryptocurrencies.

Algorand-Based DeFi Platform ‘Tinyman’ Exploited for $3 Million

How the Breach Took Place

Another Day, Another Hack

José Oramas

You may also like

DeFi Platform Hacked for at Least $1,900,000 and Possibly More on Ethereum and Arbitrum Blockchains

Crypto Sleuth Alerts to Scammer Network Behind DeFi Protocols Including Magnate, Kokomo, Solfire, and Lendora

This Week on Crypto Twitter: SEC Targets Uniswap, Bitcoin Runes Stir Hype