skip to Main Content
bitcoin
Bitcoin (BTC) $ 98,797.47 1.02%
ethereum
Ethereum (ETH) $ 3,487.99 5.63%
tether
Tether (USDT) $ 1.00 0.04%
solana
Solana (SOL) $ 261.71 2.46%
bnb
BNB (BNB) $ 675.50 8.94%
xrp
XRP (XRP) $ 1.55 9.36%
dogecoin
Dogecoin (DOGE) $ 0.464012 16.65%
cardano
Cardano (ADA) $ 1.10 23.05%
usd-coin
USDC (USDC) $ 1.00 0.01%
staked-ether
Lido Staked Ether (STETH) $ 3,487.73 5.66%

$3 Million Lost as an Algorand-Based Decentralized Trading Platform Exploited

Tinyman opened about the latest attack that started on January 1st. A few “unauthorized users” breached some of the protocol’s pools after compromising a previously unknown vulnerability on its smart contracts.

Tinyman Compromised

According to the official blog post, the attack resulted in a drain of certain ASAs in the first hours. This, in turn, induced massive volatility. Tinyman revealed that the hack activated their wallet addresses and deposited a seed fund for the breach. To execute the attack, the perpetrators essentially targeted the pools and started to swap a portion of their funds and minted Pool Tokens.

It was an unknown bug in the burning of Pool Tokens that the perpetrators reportedly exploited and managed to acquire “two of the same Assets instead of two different Assets.”

According to the platform, this was favorable for the perpetrators as the “gobtc asset” was significantly more valuable than Algorand’s native token ALGO. They immediately swapped against it to rake in more funds and carry on with the exploit.

Tinyman alleged that the attackers also swapped pools with stablecoins to fish out the most value and withdraw these assets to other on-chain wallets and known centralized cryptocurrency exchanges.

The Attack Goes on

While apologizing for the entire event, Tinyman assured that all affected users will be reimbursed and that the team is currently working on compensation plans. However, it also mentioned that they could not obstruct any kind of transaction on the blockchain due to the permissionless nature of the contracts.

In a bid to control the intensity of the damage, Tinyman urged liquidity providers to pull out all their liquidity from all the protocol-related contracts. In addition to that, all liquidity routes in the web app were blocked and were replaced with warning signs to protect the community.

In yet another recent tweet, the platform notified its users that the exploit on the pools continues. Moreover, around $2 million worth of various digital assets in the pools still remained stuck. Tinyman once again advised everyone to remove their liquidity as soon as possible. It also warned that any lost funds after 9 AM UTC on January 4th will be user responsibility.

Loading data ...
Comparison
View chart compare
View table compare
Back To Top