The new year didn’t ring well for the Algorand community, as the decentralized trading platform Tinyman built on the network was subject to an attack on 1 January, 2022. This followed a year of heightened theft that saw over $10 billion being lost to DeFi scams and hacks. In a new blog post, Tinyman has now detailed the fateful exploit that cost the DeFi platform an estimated $3 million.
The attacker was able to exploit some vulnerabilities in the network’s smart contracts that provided unauthorized access to pools from which they could extract tokens.
1- As many of you are aware an attack occurred on Tinyman Pools on January 1st/2nd.
The attack exploits a previously unknown bug in the contract and allows the attacker to withdraw assets from a pool that they are not entitled to.— Tinyman (@tinymanorg) January 2, 2022
This “resulted in a drain of certain ASAs in the first hours of attack which led to increased volatility in the immediate aftermath,” Tinyman’s team noted, adding that further investigation into the attack was being carried out.
They did provide an early prognosis of the attack, which suggested that the first perpetrators activated their wallet addresses and deposited a seed fund for the hack. This was followed by carrying out transactions with the targeted pools, swapping some tokens, and minting some Pool Tokens.
The bug was exploited by burning the Pool Tokens, which allowed the hackers to receive two of the same assets instead of two different assets. The attackers continued to burn and swap over 17 transactions until they had stolen funds worth around $3 million at the time of withdrawal. The blog post added,
“The perpetrators’ next set of actions shows how they swapped over pools with stablecoins to extract most of the value and withdraw these assets to other on-chain wallets and recognized centralized exchanges.”
The network also noted that many other wallets were now exploiting this bug, warning that “those people can…
