Tinyman Vulnerability
Blockshake's Analysis of the Smart Contract Vulnerability, Jan 2022
A vulnerability was found in one of the Tinyman smart contracts on 1 Jan 2022. Unfortunately this was not accomplished by a security audit or white hat bounty program. It happened by the less desirable raiding of funds. As regretful as this may be this will ultimately improve the security of the Tinyman ecosystem.
The new year started with a wave of attacks on the Tinyman DEX (official announcement). Having worked intensively with the Tinyman protocol over the past months, we were able to write our own exploit and reproduce the attack on Testnet within thirty minutes (needless to say that we didn’t run any tests on Mainnet and didn’t share our code for obvious reasons).
Much has already been written about the problem that these attacks exploit. In brief, they target the “burn” operation in the Tinyman protocol. Minting and burning are the technical terms to add and remove liquidity from a pool. Under normal circumstances, minting/burning adds/removes equal values of both assets (e.g., in the goBTC-ALGO pool this means equal values of goBTC and ALGO). The attackers, however, crafted malicious “burn” transactions that extracted only one asset (e.g., goBTC) but in the wrong amounts. While this attack is possible on any Tinyman pool, it is not equally financially profitable for every pool. This has to do with the number of decimal places of an asset and how asset amounts are stored by the Tinyman protocol. In order to warn “poolers” of pools that are at higher risk of being exploited, we shared a list of high-risk pools online very early. In addition we scanned our database for transactions that indeed exploited this vulnerability and published them as well.
$DEFLY Presale and Defly App Plans
How does this security incident affect Defly and the presale of our DEFLY token? In short, we decided to proceed as planned with our presale. We still believe in a decentralized world and having seen how vibrant and supportive the Algorand community was before and during this attack, we are certain that decentralized trading on Algorand will bounce back strongly, so much so that users will need the tools to make trading easy to use, intuitive, and fast.
After Tinyman has patched their protocol and after our Defly presale has completed, we will launch our liquidity pool on the new Tinyman protocol. When more DEXs become available, we plan to use some of the liquidity from our presale to fund liquidity pools on other DEXs.
We expect many more DEXs to come to Algorand in the future, some very soon (AlgoDex, Pact, Humble, etc.). This is good news for the Algorand DeFi ecosystem and even better news for Defly users because they will be able to trade their favorite assets on multiple platforms from within one app. We have concrete plans for Defly to automatically suggest the DEX with the best price or let users manually select a DEX. Automatically suggesting the DEX with the best price lets users benefit from small price differences across different DEXs (this is also known as arbitrage trading). The following screenshot from Defly shows how users will be able to choose between multiple DEXs (with automatically finding the best DEX being the default).
On a more technical note it is also interesting to point out that Defly directly communicates with the smart contracts on the Algorand blockchain. This means that Defly relies on a robust and well-tested network. This prevents situations during this recent security incident where many users were not able to withdraw liquidity at the same time because of system overload at one platform (Tinyman, in this case).