Lessons From The Attack On Tinyman, Largest DEX On Algorand

Lessons From The Attack On Tinyman, Largest DEX On Algorand

Table of Contents

Read Time: 4 minutes

Crypto hacks continue in 2022 as hackers attack vulnerabilities within different networks, adding to millions of stolen assets. The Algorand community began the year on a sour note following an attack on their decentralized exchange that led to the loss of about $3 million worth of assets.

According to reports, on January 1, 2022, unauthorized users attacked Tinyman, a decentralized financial platform built on Algorand. The event was done in four separate attacks, allowing the hackers to steal about $3 million from pools within the protocol.

A report by Tinyman showed that four accounts were compromised, which affected about 250 users with holdings in goBTC and goETH. Forty-three pools were affected by 360 malicious activities carried out by 13 unique addresses.

Notably, the attackers activated their wallet addresses which allowed them to deposit a seed fund for the attack. Additionally, these individuals reportedly breached previously unknown vulnerabilities on Tinyman’s smart contract. This allowed them to get two of the same tokens, which they then proceeded to swap some of the assets and minted pool tokens.

The attacks reportedly favored the unauthorized users because the goBTC asset was more valuable than the ALGO token they swapped against to receive more funds. In addition, the attackers also swapped pools with stablecoins before withdrawing the assets to other wallets and centralized exchanges.

As a trustless and permissionless protocol, Tinyman notably uses immutable contracts, making it impossible for the exchange to fix the vulnerabilities and stop the attack quickly. However, as a result, they could only advise their users not to use the platform as they worked on fixing the problem.

As the Tinyman team continues to investigate the incidence, a few key areas need to be addressed. These include:

Importance of Audits

Given the increased numbers of fraud cases and crypto-related attacks within DeFi and the overall cryptocurrency market, the need for checks systems and accountability cannot be emphasized enough. 

Last year in November, Elliptic, a global crypto management risk company, conducted research showing that over $10.5 billion worth of assets were lost from DeFi in 2021 due to hacks and other attacks on networks and protocols. 

Furthermore, DeFi related hacks accounted for 76% of all major hacks in 2021. According to the report, the trustless nature of Decentralized applications (DApps) within DeFi is both a blessing and a curse. Being trustless eliminates any third-party control of users’ funds. However, users are forced to trust that the creators of the protocols in question did not make any mistakes in the coding or design that could allow an attack on the system.

Audits allow trusted entities to check for vulnerabilities with the codes and structural design of a project, increasing overall security. Audits should be carried out constantly to keep up with the sophisticated and new techniques hackers use to attack systems. While Tinyman had reportedly undergone an audit, a recent auditing check could have helped fix the bugs or vulnerabilities and possibly prevent the losses.

Must Read: The Big Four Working Towards Blockchain Auditing

Ideally, smart contract audits should be done before the contracts are deployed. These audits seek to check for common errors such as stack problems, reentrance mistakes, and other possible complications. The audit process also checks for host platforms’ known errors and security flaws while allowing developers to test the smart contract.

In addition, audits help projects constantly improve their smart contracts, ensuring they are always up to date. For instance, following the attack, Tinyman was forced to update their smart contracts to prevent such attacks in the future.

DeFi Insurance

Notably, before making any arrangement within the DeFi market, users need to understand the risks associated with the market fully. Apart from smart contract risks, users might also face oracle risks and governance risks. 

That said, conducting proper research on the markets and projects therein allows users to make informed decisions. One such decision is getting protection for unforeseen attacks through DeFi Insurance.

DeFi Insurance is the process of insuring oneself or buying coverage against losses that events in the DeFi industry may suffer. The growing numbers of losses within DeFi have created a demand for DeFi insurance products as new projects keep rising by the day. 

Usually, many affected exchanges end up reimbursing their victims following the attack. However, some of the hacked projects cannot reimburse their users.

Note, the Tinyman team has come forth to assure affected users that they will be reimbursed for their losses.

Strength in Communities

Notably, after the first attack became public, many more hackers took the opportunity to copy the hack. They used the same vulnerabilities to execute smaller attacks (second to fourth attacks) on the exchange. However, Tinyman managed to save a large percentage of their assets with the community’s help.

In this and similar attacks, communities have helped spread the news faster, allowing users to take the necessary security actions to help keep their assets safe. In addition, communities, to some extent, have helped in building better communication and collaborations between developers and users for the growth of the entire ecosystem.

In recent days, crypto-based communities have helped raise revolutions that have led to the growth of projects within the industry.

Wrapping up

While blockchain has made tremendous breakthroughs, especially within finance, the technology is far from perfect. However, project owners, developers, and users alike can take appropriate measures to ensure more security within blockchain-based applications.

By taking accountability measures through audits and other relevant measures, projects can eliminate any bugs or vulnerabilities that could be used against the application. Also, taking other precautions such as DeFi insurance and keeping a tight community is important in mitigating such events. 

Follow QuillAudits for more updates.

Twitter | LinkedIn Facebook | Telegram

948 Views

Related Articles

Leave a Comment

Your email address will not be published.

The automated tools that are used to tackle security issues in Ethereum smart contracts are either outdated or are created with a mere academic purpose.
It is the combination of automated & manual audit that make a protocol secure.
Join https://t.me/quillhash for latest updates.

The What, How, and Why of domain hijacking || The @GoDaddy Hack

GoDaddy, the world’s biggest domain registrar has been hacked.

Here’s how a domain is hijacked, and other types of DNS attacks.

🧵

#crypto | #news | #cryptonews | #godaddy | #domainhijacking | #domain | #DeFi

⏸️Venus Protocol suspended for 48 hours

A $LUNA price discrepancy resulted in an $11M exploit

Venus Protocol Loses $11M Due to Chainlink Suspension of $LUNA Price Oracle.

🧵👇

#DeFi | #NFT | #Web3| #luna | #terra | #ust | #Cryptocrash

📢We’re elated to announce that we have concluded the #smartcontract audit for "
@metakillers".

Full #Audit Report 📜- https://github.com/Quillhash/Audit_Reports/blob/master/Metakillers%20Smart%20Contract%20Audit%20Report%20-%20QuillAudits.pdf

Secure your #DeFi & #NFT platform before it's too late, connect with us, here🤝>> https://audits.quillhash.com/smart-contract-audit

What are #stablecoins | Create stablecoin as $USDT | Stablecoins explained

🧵

#cryptocrash | #terra | #crypto | #luna | #ust | #DeFi | #NFT

Load More...

OpenSea’s official Discord compromised in a phishing attack 🌊

OpenSea, a popular marketplace on the Ethereum network, suffered a Discord server compromise. Here, scam links were posted in the server’s announcement channel announcing a partnership with YouTube and the mint of exclusive NFTs on the platform.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $150K+