Lessons From The Attack On Tinyman, Largest DEX On Algorand

Lessons From The Attack On Tinyman, Largest DEX On Algorand

Table of Contents

Read Time: 4 minutes

Crypto hacks continue in 2022 as hackers attack vulnerabilities within different networks, adding to millions of stolen assets. The Algorand community began the year on a sour note following an attack on their decentralized exchange that led to the loss of about $3 million worth of assets.

According to reports, on January 1, 2022, unauthorized users attacked Tinyman, a decentralized financial platform built on Algorand. The event was done in four separate attacks, allowing the hackers to steal about $3 million from pools within the protocol.

A report by Tinyman showed that four accounts were compromised, which affected about 250 users with holdings in goBTC and goETH. Forty-three pools were affected by 360 malicious activities carried out by 13 unique addresses.

Notably, the attackers activated their wallet addresses which allowed them to deposit a seed fund for the attack. Additionally, these individuals reportedly breached previously unknown vulnerabilities on Tinyman’s smart contract. This allowed them to get two of the same tokens, which they then proceeded to swap some of the assets and minted pool tokens.

The attacks reportedly favored the unauthorized users because the goBTC asset was more valuable than the ALGO token they swapped against to receive more funds. In addition, the attackers also swapped pools with stablecoins before withdrawing the assets to other wallets and centralized exchanges.

As a trustless and permissionless protocol, Tinyman notably uses immutable contracts, making it impossible for the exchange to fix the vulnerabilities and stop the attack quickly. However, as a result, they could only advise their users not to use the platform as they worked on fixing the problem.

As the Tinyman team continues to investigate the incidence, a few key areas need to be addressed. These include:

Importance of Audits

Given the increased numbers of fraud cases and crypto-related attacks within DeFi and the overall cryptocurrency market, the need for checks systems and accountability cannot be emphasized enough. 

Last year in November, Elliptic, a global crypto management risk company, conducted research showing that over $10.5 billion worth of assets were lost from DeFi in 2021 due to hacks and other attacks on networks and protocols. 

Furthermore, DeFi related hacks accounted for 76% of all major hacks in 2021. According to the report, the trustless nature of Decentralized applications (DApps) within DeFi is both a blessing and a curse. Being trustless eliminates any third-party control of users’ funds. However, users are forced to trust that the creators of the protocols in question did not make any mistakes in the coding or design that could allow an attack on the system.

Audits allow trusted entities to check for vulnerabilities with the codes and structural design of a project, increasing overall security. Audits should be carried out constantly to keep up with the sophisticated and new techniques hackers use to attack systems. While Tinyman had reportedly undergone an audit, a recent auditing check could have helped fix the bugs or vulnerabilities and possibly prevent the losses.

Must Read: The Big Four Working Towards Blockchain Auditing

Ideally, smart contract audits should be done before the contracts are deployed. These audits seek to check for common errors such as stack problems, reentrance mistakes, and other possible complications. The audit process also checks for host platforms’ known errors and security flaws while allowing developers to test the smart contract.

In addition, audits help projects constantly improve their smart contracts, ensuring they are always up to date. For instance, following the attack, Tinyman was forced to update their smart contracts to prevent such attacks in the future.

DeFi Insurance

Notably, before making any arrangement within the DeFi market, users need to understand the risks associated with the market fully. Apart from smart contract risks, users might also face oracle risks and governance risks. 

That said, conducting proper research on the markets and projects therein allows users to make informed decisions. One such decision is getting protection for unforeseen attacks through DeFi Insurance.

DeFi Insurance is the process of insuring oneself or buying coverage against losses that events in the DeFi industry may suffer. The growing numbers of losses within DeFi have created a demand for DeFi insurance products as new projects keep rising by the day. 

Usually, many affected exchanges end up reimbursing their victims following the attack. However, some of the hacked projects cannot reimburse their users.

Note, the Tinyman team has come forth to assure affected users that they will be reimbursed for their losses.

Strength in Communities

Notably, after the first attack became public, many more hackers took the opportunity to copy the hack. They used the same vulnerabilities to execute smaller attacks (second to fourth attacks) on the exchange. However, Tinyman managed to save a large percentage of their assets with the community’s help.

In this and similar attacks, communities have helped spread the news faster, allowing users to take the necessary security actions to help keep their assets safe. In addition, communities, to some extent, have helped in building better communication and collaborations between developers and users for the growth of the entire ecosystem.

In recent days, crypto-based communities have helped raise revolutions that have led to the growth of projects within the industry.

Wrapping up

While blockchain has made tremendous breakthroughs, especially within finance, the technology is far from perfect. However, project owners, developers, and users alike can take appropriate measures to ensure more security within blockchain-based applications.

By taking accountability measures through audits and other relevant measures, projects can eliminate any bugs or vulnerabilities that could be used against the application. Also, taking other precautions such as DeFi insurance and keeping a tight community is important in mitigating such events. 

Follow QuillAudits for more updates.

Twitter | LinkedIn Facebook | Telegram


Related Articles

View All

Leave a Comment

Your email address will not be published.




Binance Smart Chain was compelled to suspend operations on Thursday due to a "potential exploit". The attacker moved over half million in cryptocurrency from the @binance -linked blockchain.



In one of the protocol's lending pools, an exploiter escaped with over 44 RBTC by employing a price manipulation method.



We request BSC Validators to get in touch with us within the next few hours so that we can plan a node upgrade.

We'd like to thank the community again for their continuous support.


A spammer has caused havoc for Zcash node operators by filling transaction Blocks with a large number of shielded transaction outputs. Many believe this is a FUD designed to draw attention.





[MUST KNOW] Security Tips for Web3—

Don’t ever think it can’t happen to you🚫!

Don’t Rush⚡

In crypto, we all like to move fast, grab the most hyped thing to shell out millions in a minute.

But at the same time, we forget that we are the most vulnerable ones as well.

Load More

90 Types of Crypto Worth $160M Stolen 🚨

It was observed from the Omni bridge source code that the logic to verify chainID was present, but the verified chainID used in the contract was pulled from a value stored in the storage named uintStorage.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+