LP Attack on Tinyman Defi on Algorand


Liquidity Pools on the Algorand DEX Tinyman are being exploited and drained of funds due to a contract exploit in the burning mechanism. The attack not only drains the LPs but also devalues the respective LP governance tokens. While there isn’t (yet) an Algorand bridge in the Incognito network, there is no doubt the Tinyman attackers will be testing other DEXes for a similar flaw in the burn function of the DEX.

Firstly I hope the team is staying abreast of security incidents with DEXs, networks and protocols; analyzing the published incident reports for those incidents and mitigating any similar vulnerabilities in the Incognito protocol.

Secondly I sincerely hope the team will be submitting the new production code for 3rd party audits and publishing the results (frankly this all should be done before any new code ever went live). There have been a number of self-inflicted errors and mistakes of late that have somehow slipped through QA. Submitting an iOS update a full month before backend infra was remotely ready is one thing; having new v3 pDEX LPs drained in a Tinyman-type attack would be an altogether different thing.

We all want this project to succeed. Protocol security is not a one-and-done effort. Publicly published audits, incident statements – regarding both internal and external networks – are crucial to establishing confidence and assuring robust design.


Speaking of which, I want to remind the team of my suggestion for an insurance fund.


Btw, after this attack, it really deserves its name as having “tiny” funds :joy:

1 Like

Thanks for pointing this out @Mike_Wagner, devs are looking into it.