Lessons From The Attack On Tinyman, Largest DEX On Algorand

Lessons From The Attack On Tinyman, Largest DEX On Algorand

Table of Contents

Read Time: 4 minutes

Crypto hacks continue in 2022 as hackers attack vulnerabilities within different networks, adding to millions of stolen assets. The Algorand community began the year on a sour note following an attack on their decentralized exchange that led to the loss of about $3 million worth of assets.

According to reports, on January 1, 2022, unauthorized users attacked Tinyman, a decentralized financial platform built on Algorand. The event was done in four separate attacks, allowing the hackers to steal about $3 million from pools within the protocol.

A report by Tinyman showed that four accounts were compromised, which affected about 250 users with holdings in goBTC and goETH. Forty-three pools were affected by 360 malicious activities carried out by 13 unique addresses.

Notably, the attackers activated their wallet addresses which allowed them to deposit a seed fund for the attack. Additionally, these individuals reportedly breached previously unknown vulnerabilities on Tinyman’s smart contract. This allowed them to get two of the same tokens, which they then proceeded to swap some of the assets and minted pool tokens.

The attacks reportedly favored the unauthorized users because the goBTC asset was more valuable than the ALGO token they swapped against to receive more funds. In addition, the attackers also swapped pools with stablecoins before withdrawing the assets to other wallets and centralized exchanges.

As a trustless and permissionless protocol, Tinyman notably uses immutable contracts, making it impossible for the exchange to fix the vulnerabilities and stop the attack quickly. However, as a result, they could only advise their users not to use the platform as they worked on fixing the problem.

As the Tinyman team continues to investigate the incidence, a few key areas need to be addressed. These include:

Importance of Audits

Given the increased numbers of fraud cases and crypto-related attacks within DeFi and the overall cryptocurrency market, the need for checks systems and accountability cannot be emphasized enough. 

Last year in November, Elliptic, a global crypto management risk company, conducted research showing that over $10.5 billion worth of assets were lost from DeFi in 2021 due to hacks and other attacks on networks and protocols. 

Furthermore, DeFi related hacks accounted for 76% of all major hacks in 2021. According to the report, the trustless nature of Decentralized applications (DApps) within DeFi is both a blessing and a curse. Being trustless eliminates any third-party control of users’ funds. However, users are forced to trust that the creators of the protocols in question did not make any mistakes in the coding or design that could allow an attack on the system.

Audits allow trusted entities to check for vulnerabilities with the codes and structural design of a project, increasing overall security. Audits should be carried out constantly to keep up with the sophisticated and new techniques hackers use to attack systems. While Tinyman had reportedly undergone an audit, a recent auditing check could have helped fix the bugs or vulnerabilities and possibly prevent the losses.

Must Read: The Big Four Working Towards Blockchain Auditing

Ideally, smart contract audits should be done before the contracts are deployed. These audits seek to check for common errors such as stack problems, reentrance mistakes, and other possible complications. The audit process also checks for host platforms’ known errors and security flaws while allowing developers to test the smart contract.

In addition, audits help projects constantly improve their smart contracts, ensuring they are always up to date. For instance, following the attack, Tinyman was forced to update their smart contracts to prevent such attacks in the future.

DeFi Insurance

Notably, before making any arrangement within the DeFi market, users need to understand the risks associated with the market fully. Apart from smart contract risks, users might also face oracle risks and governance risks. 

That said, conducting proper research on the markets and projects therein allows users to make informed decisions. One such decision is getting protection for unforeseen attacks through DeFi Insurance.

DeFi Insurance is the process of insuring oneself or buying coverage against losses that events in the DeFi industry may suffer. The growing numbers of losses within DeFi have created a demand for DeFi insurance products as new projects keep rising by the day. 

Usually, many affected exchanges end up reimbursing their victims following the attack. However, some of the hacked projects cannot reimburse their users.

Note, the Tinyman team has come forth to assure affected users that they will be reimbursed for their losses.

Strength in Communities

Notably, after the first attack became public, many more hackers took the opportunity to copy the hack. They used the same vulnerabilities to execute smaller attacks (second to fourth attacks) on the exchange. However, Tinyman managed to save a large percentage of their assets with the community’s help.

In this and similar attacks, communities have helped spread the news faster, allowing users to take the necessary security actions to help keep their assets safe. In addition, communities, to some extent, have helped in building better communication and collaborations between developers and users for the growth of the entire ecosystem.

In recent days, crypto-based communities have helped raise revolutions that have led to the growth of projects within the industry.

Wrapping up

While blockchain has made tremendous breakthroughs, especially within finance, the technology is far from perfect. However, project owners, developers, and users alike can take appropriate measures to ensure more security within blockchain-based applications.

By taking accountability measures through audits and other relevant measures, projects can eliminate any bugs or vulnerabilities that could be used against the application. Also, taking other precautions such as DeFi insurance and keeping a tight community is important in mitigating such events. 

Follow QuillAudits for more updates.

Twitter | LinkedIn Facebook | Telegram


Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *


Due to the fact that Web3 technology is still in its infancy, new types of attacks are possible. Some attacks, like ice phishing, are specific to Web3, while others resemble credential phishing attacks.




The $BEVO NFT Art Token (BEVO) on BSC was exploited, resulting in a $45,000 loss.

The root cause of the exploit is that BEVO is a deflationary token. By invoking function deliver(), the value _rTotal will decrease.

QuillAudits 🤝 Gamestarter

@Gamestarter is a complete Web3 ecosystem including an IDO launchpad, game development studio, accelerator, incubator, and soon NFT marketplace, gaming guild and metaverse.

QuillAudits extends its partnership with Gamestarter.


Thoreum Finance on the BNB chain was exploited on January 18, 2023. The exploit resulted in the protocol losing approximately 2261 BNB (~$680K).

✔ Check out our latest article to learn more about how it happens.👇


#web3 #Security #Audit


phyProxy on BSC was attacked, resulting in a loss of 1.2K BUSD.

The root cause is a forced investment due to the delegate calls unverified input in the public delegateCallSwap function.

Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+