The new year didn’t ring well for the Algorand community, as the decentralized trading platform Tinyman built on the network was subject to an attack on 1 January, 2022. This followed a year of heightened theft that saw over $10 billion being lost to DeFi scams and hacks. In a new blog post, Tinyman has now detailed the fateful exploit that cost the DeFi platform an estimated $3 million.
The attacker was able to exploit some vulnerabilities in the network’s smart contracts that provided unauthorized access to pools from which they could extract tokens.
1- As many of you are aware an attack occurred on Tinyman Pools on January 1st/2nd.
The attack exploits a previously unknown bug in the contract and allows the attacker to withdraw assets from a pool that they are not entitled to.
— Tinyman (@tinymanorg) January 2, 2022
This “resulted in a drain of certain ASAs in the first hours of attack which led to increased volatility in the immediate aftermath,” Tinyman’s team noted, adding that further investigation into the attack was being carried out.
They did provide an early prognosis of the attack, which suggested that the first perpetrators activated their wallet addresses and deposited a seed fund for the hack. This was followed by carrying out transactions with the targeted pools, swapping some tokens, and minting some Pool Tokens.
The bug was exploited by burning the Pool Tokens, which allowed the hackers to receive two of the same assets instead of two different assets. The attackers continued to burn and swap over 17 transactions until they had stolen funds worth around $3 million at the time of withdrawal. The blog post added,
“The perpetrators’ next set of actions shows how they swapped over pools with stablecoins to extract most of the value and withdraw these assets to other on-chain wallets and recognized centralized exchanges.”
The network also noted that many other wallets were now exploiting this bug, warning that “those people can be held as culpable as the first attackers.”
All users were immediately asked to pull out their liquidity from all Tinyman related contracts since none of them can be reversed or paused due to the network’s fully decentralized structure. The remaining liquidity on the network stood at around $5 million, down from about $43 million earlier.
Due to recently found exploit, we have pulled liquidity from Tinyman on the TINY token – it has come to our attention that our liquidity pool could also be affected.
We advise anyone to pull their liquidity as well until we hear more about possible solutions.
— TinyChart (@tinychartorg) January 2, 2022
An asset recovery plan is yet to be announced by the team, which noted that it was in talks with law authorities and third-party applications that these wallet addresses had interacted with. However, one shouldn’t hold their breath over recovery considering how these assets are hardly ever reclaimed, unless the hacker turns out to be cooperative.
While victims of the $610 million Poly Network hack were lucky to have their funds returned, the anonymity and decentralization of the DeFi ecosystem make it relatively difficult to track down and prosecute such attackers. The rising trend of DeFi hacks and scams has inevitably spilled over from the last year and is only expected by many to augment further with time.