Lessons From The Attack On Tinyman, Largest DEX On Algorand

Lessons From The Attack On Tinyman, Largest DEX On Algorand

Lessons From The Attack On Tinyman, Largest DEX On Algorand

Lessons From The Attack On Tinyman, Largest DEX On Algorand

Lessons From The Attack On Tinyman, Largest DEX On Algorand

Read Time: 4 minutes

Crypto hacks continue in 2022 as hackers attack vulnerabilities within different networks, adding to millions of stolen assets. The Algorand community began the year on a sour note following an attack on their decentralized exchange that led to the loss of about $3 million worth of assets.

According to reports, on January 1, 2022, unauthorized users attacked Tinyman, a decentralized financial platform built on Algorand. The event was done in four separate attacks, allowing the hackers to steal about $3 million from pools within the protocol.

A report by Tinyman showed that four accounts were compromised, which affected about 250 users with holdings in goBTC and goETH. Forty-three pools were affected by 360 malicious activities carried out by 13 unique addresses.

Notably, the attackers activated their wallet addresses which allowed them to deposit a seed fund for the attack. Additionally, these individuals reportedly breached previously unknown vulnerabilities on Tinyman’s smart contract. This allowed them to get two of the same tokens, which they then proceeded to swap some of the assets and minted pool tokens.

The attacks reportedly favored the unauthorized users because the goBTC asset was more valuable than the ALGO token they swapped against to receive more funds. In addition, the attackers also swapped pools with stablecoins before withdrawing the assets to other wallets and centralized exchanges.

As a trustless and permissionless protocol, Tinyman notably uses immutable contracts, making it impossible for the exchange to fix the vulnerabilities and stop the attack quickly. However, as a result, they could only advise their users not to use the platform as they worked on fixing the problem.

As the Tinyman team continues to investigate the incidence, a few key areas need to be addressed. These include:

Importance of Audits

Given the increased numbers of fraud cases and crypto-related attacks within DeFi and the overall cryptocurrency market, the need for checks systems and accountability cannot be emphasized enough. 

Last year in November, Elliptic, a global crypto management risk company, conducted research showing that over $10.5 billion worth of assets were lost from DeFi in 2021 due to hacks and other attacks on networks and protocols. 

Furthermore, DeFi related hacks accounted for 76% of all major hacks in 2021. According to the report, the trustless nature of Decentralized applications (DApps) within DeFi is both a blessing and a curse. Being trustless eliminates any third-party control of users’ funds. However, users are forced to trust that the creators of the protocols in question did not make any mistakes in the coding or design that could allow an attack on the system.

Audits allow trusted entities to check for vulnerabilities with the codes and structural design of a project, increasing overall security. Audits should be carried out constantly to keep up with the sophisticated and new techniques hackers use to attack systems. While Tinyman had reportedly undergone an audit, a recent auditing check could have helped fix the bugs or vulnerabilities and possibly prevent the losses.

Must Read: The Big Four Working Towards Blockchain Auditing

Ideally, smart contract audits should be done before the contracts are deployed. These audits seek to check for common errors such as stack problems, reentrance mistakes, and other possible complications. The audit process also checks for host platforms’ known errors and security flaws while allowing developers to test the smart contract.

In addition, audits help projects constantly improve their smart contracts, ensuring they are always up to date. For instance, following the attack, Tinyman was forced to update their smart contracts to prevent such attacks in the future.

DeFi Insurance

Notably, before making any arrangement within the DeFi market, users need to understand the risks associated with the market fully. Apart from smart contract risks, users might also face oracle risks and governance risks. 

That said, conducting proper research on the markets and projects therein allows users to make informed decisions. One such decision is getting protection for unforeseen attacks through DeFi Insurance.

DeFi Insurance is the process of insuring oneself or buying coverage against losses that events in the DeFi industry may suffer. The growing numbers of losses within DeFi have created a demand for DeFi insurance products as new projects keep rising by the day. 

Usually, many affected exchanges end up reimbursing their victims following the attack. However, some of the hacked projects cannot reimburse their users.

Note, the Tinyman team has come forth to assure affected users that they will be reimbursed for their losses.

Strength in Communities

Notably, after the first attack became public, many more hackers took the opportunity to copy the hack. They used the same vulnerabilities to execute smaller attacks (second to fourth attacks) on the exchange. However, Tinyman managed to save a large percentage of their assets with the community’s help.

In this and similar attacks, communities have helped spread the news faster, allowing users to take the necessary security actions to help keep their assets safe. In addition, communities, to some extent, have helped in building better communication and collaborations between developers and users for the growth of the entire ecosystem.

In recent days, crypto-based communities have helped raise revolutions that have led to the growth of projects within the industry.

Wrapping up

While blockchain has made tremendous breakthroughs, especially within finance, the technology is far from perfect. However, project owners, developers, and users alike can take appropriate measures to ensure more security within blockchain-based applications.

By taking accountability measures through audits and other relevant measures, projects can eliminate any bugs or vulnerabilities that could be used against the application. Also, taking other precautions such as DeFi insurance and keeping a tight community is important in mitigating such events. 

Follow QuillAudits for more updates.

Twitter | LinkedIn Facebook | Telegram


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+