The new year began with yet another online attack. This time the victim is the decentralized trading platform Tinyman that suffered a smart contract exploit.
Expressing about the recent attack Tinyman stated that, a few “unauthorized users” breached some of the protocol’s pools. This came after they compromised a previously unknown vulnerability on its smart contracts.
A well planned attack to hack Tinyman
Tinyman in their blog post revealed that the attack resulted in a drain of certain ASAs in the first few hours. The incident resulted in massive volatility. The hack activated their wallet addresses and deposited a seed fund for the breach. The perpetrators essentially targeted the pools and started to swap a portion of their funds and minted Pool Tokens.
The hackers used an unknown bug in the burning of Pool Tokens and managed to acquire “two of the same Assets instead of two different Assets.”
According to Tinyman, this was favorable for the perpetrators since the “gobtc asset” was significantly more valuable than Algorand’s native token ALGO. The miscreants didn’t stop there immediately but continued to rake in more funds and carry on with the exploit.
The attackers used stablecoins to fish out the most value and withdraw these assets to other on-chain wallets and known centralized cryptocurrency exchanges, Tinyman stated.
The attack intensifies racking in more loss
Tinyman got into Twitter to apologize for the entire incident. The platform assures all affected users of reimbursements as the team is currently working on compensation plans. Tinyman further added that they could not obstruct any kind of transaction on the blockchain. This is due to the permissionless nature of the contracts.
Following the event, Tinyman blocked all liquidity routes in the web app. They were replaced with warning signs to safeguard the users. They also urged liquidity providers to pull out all their liquidity from all the protocol-related contracts. The platform warned that Any lost funds after 9 AM UTC on January 4th will be user responsibility.
Around $2 million worth of various digital assets in the pools are still stuck as the exploit on the pools continues,Tinyman stated.