An Algorand-based trading platform dubbed Tinyman suffered a smart contract exploit and $3 million is now lost as we are reading more in our latest cryptocurrency news.
The Algorand-based trading platform talked about the latest attack which started on January 1st. The “unauthorized users” managed to breach the protocol’s pools after compromising an unknown vulnerability on the smart contracts. According to the official blog post, the attack resulted in a drain of ASAs in the first few hours. This induced massive volatility and Tinyman revealed that the hack activated their wallet addresses and deposited the seed fund for the breach. In order to execute the attack, the perpetrators targeted the pools and started to swap a portion of their funds, and minted the Pool tokens.
Any lost funds after the next 24 hours (9 am UTC on the 4th of January) will be the responsibility of the users as there is nothing we can do to stop this event, the responsibility of the remaining assets are in the wallet owners' hands.
— Tinyman (@tinymanorg) January 3, 2022
It was actually an unknown bug in the burning of the Pool tokens that the perpetrators exploited and managed to acquire “two of the same Assets instead of the two different assets.” according to the platform, this was quite favorable for the perpetrators as the GOBTC asset was much more valuable than Algorand’s native token aLGO. They swapped it right away to rake in more funds and to carry out the exploit. Tinyman alleged that the attackers swapped pools with Stablecoins to fish out the most value and to withdraw the assets to other on-chain wallets and the known centralized crypto exchanges.
While apologizing for the entire event, Tinyman assured that the affected users will be reimbursed and the team is working on a few compensation plans. It also mentioned that they could not obstruct the transactions on the blockchain because of the permissionless nature of the contracts. In a bid to control the intensity of the damage, Tinyman urged the liquidity providers to pull out all of their liquidity from the protocol contracts, and in addition, all of the liquidity routes in the web app were blocked and replaced with warning signs.
In another tweet, the platform notified the users that the exploit on the pools will continue. More than $2 million worth of various assets in the pools remained stuck. Tinyman advised everyone to remove their liquidity as soon as possible and warned that lost funds after 9 AM UTC will be users’ responsibility.
DC Forecasts is a leader in many crypto news categories, striving for the highest journalistic standards and abiding by a strict set of editorial policies. If you are interested to offer your expertise or contribute to our news website, feel free to contact us at [email protected]
Discussion about this post