DeFi Algorand Based Platform Tinyman Lost $3 Million During an Exploit

Some communities started the year with the right foot and others did not so much like in the Algorand ecosystem.

On January 1st the Decentralised Finance platform built on Algorand network Tinyman was attacked and approximately $3 million of assets were withdrawn from a pool without authorization, according to their official blog statement.

Today, two days after the attack, the official Tinyman Twitter account posted the following statement:

We advise our users not to use Tinyman at the moment due to the problems we are experiencing. Low liquidity can also cause a loss of value in your funds. Well be stopping our swap func. on the interface soon. Please take this warning seriously as this is for our users protection

About the exploit

According to their official blog statement, there was a lot of volatility in the first hours after the exploit, and certain Algorand Standard Assets (ASAs) were drained because of it. Tinymans team said that the attackers activated their wallet addresses and deposited a seed fund for the attack.

To continue with the attack, the hackers started targeting some pools, swapping some assets and minted Pool Tokens, allowing the attackers to get two of the same assets instead of two different ones because of an unknown bug in the exploit. This way the attackers were benefited because the gobtc asset was more valuable than Algorands native token ALGO.

Tinyman also revealed that the attackers swapped pools with stablecoins and withdrew those assets to other wallets and centralized exchanges. The team claimed that users affected by this attack will be reimbursed by the protocol.

DeFi Platforms Come With High Risk

In 2021, DeFi was one of the most trending words of the year in the crypto world, and it exists thanks to smart contracts.

In November 2021, the global crypto management risk company Elliptic published a research that revealed that $10.5 billion of assets were lost due to exploits or hacks in DeFi protocols in 2021.

Decentralised apps are designed to be trustless in that they eliminate any third-party control of users funds, but you must still trust that the creators of the protocol have not made a coding or design mistake that could lead to a loss of funds. said Tom Robinson, Chief Scientist at Elliptic.

The DeFi protocols are new to the space and are growing every day, in January 2021 there was $20 billion of Total Value Locked (TVL) and one year later there are approximately $250 billion, according to DeFi Llama data, increasing more than 10 times in one year.

As more money flows in the DeFi world, more criminals and attackers are tempted to hack the protocols because its something very new on crypto and there is no KYC and they are based on smart contracts. Smart contracts are made by human beings that can leave mistakes that attackers can take advantage of.

Lets hope in the future the market will have more experience on the DeFi ecosystem and can learn about the mistakes of Tinyman protocol and maybe see a possible regulation within the DeFi world.