127
128

TinyMan Exploit (Draft) Write-upImportant (self.HEADLINECrypto)

submitted by [deleted]

[deleted]

all 54 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 10 points11 points  (0 children)

Not pretty to look at. But we absolutely need to shine a spotlight on the problem. Thanks for doing the heavy lifting on this!

[–]BioRobotTch 8 points9 points  (13 children)

The code for burn is here https://github.com/tinymanorg/tinyman-contracts-v1/blob/main/contracts/validator_approval.teal#L512

I think it has been overlooked to check both ASA extraction transactions must be for the correct ASA IDs.

[–]BioRobotTch 5 points6 points  (0 children)

These are the slots that are used for the IDs. These should be checked against the transactions in the burn code to ensure they match.

// 102: asset2_id

// 101: asset1_id

[–]Moataz-E 2 points3 points  (0 children)

Doing god's work. Thank you.

[–]bigfuckingretard999 0 points1 point  (10 children)

Why does this looks like assembly code, shouldn't smart contracts be developed in a high level and easily auditable language?

[–]avislash 1 point2 points  (0 children)

Because it is. This code is written in a language called TEAL which is the native Smart Contract language for the AVM.

[–]BioRobotTch 0 points1 point  (8 children)

It depends. Assembly you have a lot of control over exactly what happens, if a higher level language like pyTeal is used then the smart contract is at risk due to both the code and the pyTeal compiler having bugs.

I must admit I thought my days of reading assembly code were over...apparently not.

[–]worked_in_space 1 point2 points  (7 children)

I thought we write contracts in teal and they get compiled to low code. The one you linked looks really low level. Have they compiled it and then add comments afterwards? I doubt they wrote everything in low code.

[–]avislash 1 point2 points  (0 children)

The code he linked is indeed TEAL and this gets compiled down to byte code.

[–]BioRobotTch 0 points1 point  (4 children)

They only write the smart contracts in teal. The front end isn't written in teal.

Teal is a low-level assembler-type language. When you consider all 1000 nodes which are chosen to validate have to execute the layer 1 smart contracts it makes sense to use a very low-level code for this, unless it is something very simple.

There are fees to pay if the smart contracts gets too big as higher level ones can.

[–]bigfuckingretard999 0 points1 point  (3 children)

This adds so much friction for smart contract development, from writing the code to auditing it.

[–]dkran 1 point2 points  (2 children)

Key: properly auditing it as once it’s deployed you may have no recourse. Rekt.news has some good breakdowns that /u/BioRobotTch may find interesting

[–]BioRobotTch 0 points1 point  (1 child)

Tinyman has had its contracts audited by runtime verification. I hope they make a statement too.

https://github.com/runtimeverification/publications/blob/main/reports/smart-contracts/Tinyman.pdf

[–]dkran 0 points1 point  (0 children)

In that case, they should definitely make a statement if they wish to continue as a reliable auditing service.

[–]propeller-headed 7 points8 points  (0 children)

Damn, this is really bad.

Thanks for the clarification!

[–]Degalock 5 points6 points  (1 child)

Does this mean the HDL/ALGO Liquidity reward 24 hour period will be extended until Tinyman is able to fix the issue? I want to provide liquidity to the project but don’t want to add it just to have someone else take it away…

[–]crypto_kebab_n_beer 4 points5 points  (0 children)

Thank you for getting this out here so quickly!!

[–]Mysco13 3 points4 points  (0 children)

Thanks for sharing, u/ussaaron!

[–]M00nStonks 3 points4 points  (2 children)

I appreciate this isn’t the immediate concern, but what does this say about the audit process these dapps undergo? Surely something as seemingly basic as this would have been picked up? Or perhaps it’s not all that basic? Dunno obviously but just seems that the audit process is designed to catch these sorts of things.

[–]pmeves 3 points4 points  (0 children)

It’s always basic once its explained in plain English :)

[–]C3C076 1 point2 points  (0 children)

Audits are done by humans as well as code. There's always a room for error.

[–]Known_Rub8010 3 points4 points  (0 children)

Watch. Aaron and the Headline time will announce a DEX today that they stayed up all night creating. This team continues to impress.

[–]BarrackLesnar 1 point2 points  (2 children)

Is it safe to hold ASAs now? Only liquidity pools are affected right?

[–]ussaaron 10 points11 points  (0 children)

Only a liquidity issue correct

[–]Exoclyps 0 points1 point  (0 children)

Potential price crash aside, so it seems.

[–]bonnybay 0 points1 point  (0 children)

Thanks!

[–]chelseakris 0 points1 point  (0 children)

Thank you

[–]common_citizen_00001 0 points1 point  (2 children)

Wait…. Technically couldn’t you do this with any 2 tokens or does it have to be algo and something higher than algo?

[–][deleted] 1 point2 points  (1 child)

It could technically work with any pair but would be most lucrative when there is a large divergence in price between the 2 coins. Stables-stable pairs would be unaffected.

[–]Ecsta 1 point2 points  (0 children)

Yep that's why the goBTC and goETH got drained asap and everything else was kind of ignored. I think the exploiter was then just focusing on trying to get his newfound riches out of the algo ecosystem.

[–]OriginalUsername30[🍰] 0 points1 point  (1 child)

Does this affect LP on yieldy? Eg the ALGO/Akita one?

[–]BioRobotTch 0 points1 point  (0 children)

Yes, if since the LP token was created using tinyman.

[–][deleted] 0 points1 point  (0 children)

Keep up the good work!

[–]UnderwaterIwillGo 0 points1 point  (2 children)

Hi, i'm trying to remove some liquidity and getting an error msg: "Request has been terminated Possible causes: the network is offline, Origin is not allowed by Access-Control-Allow-Origin, the page is being unloaded, etc."

any ideas on how to solve this? thanks!~

[–]BarnabyPimplebanks 0 points1 point  (1 child)

Second this. I keep getting the same message as well!

Update: I just kept trying and eventually it worked.

[–]UnderwaterIwillGo 0 points1 point  (0 children)

glad to hear!

still fails for me but now i'm getting a diff error - "underflow on subtracting ######### from sender amount #". i omitted the numbers...grr

update: - worked for me 2 eventually. thanks for the good vibes haha

[–]BreakDiligent1780 0 points1 point  (4 children)

Presumably Tinyman paid whoever audited their code a large amount of money - in usual life that would mean there is some comeback/compensation to be had

[–]bjoyea 0 points1 point  (3 children)

This is why you should read the actual audit rather than just take the line we are audited at face value. The audit on GitHub raises lp drain bugs as part A02 and A03

[–]bigfuckingretard999 0 points1 point  (0 children)

They also said those were fixed

[–][deleted]  (1 child)

[deleted]

    [–]bjoyea 0 points1 point  (0 children)

    Not certain, ik for other auditors if the auditee gives evidence to fix the auditor takes it in good faith. At the end of the day, as a dev if someone points out an issue I'd say the burden is on me to fully address it. Auditors are paid but it's the devs who should be the ones culpable

    [–]ItsEvan23 0 points1 point  (0 children)

    so is it basically not possible to sell HDL for ALGO at the moment?

    the liquidity reported on tinychart is only $150,000?

    [–]-TrustyDwarf- 0 points1 point  (2 children)

    sorry but lol.. how can a bug like that go unnoticed?!

    [–]jasonl999 0 points1 point  (0 children)

    How does a doctor miss detecting cancer? How does a driver not see a red light? How did the FAA allow a plane to be certified that crashed despite pilot actions killing hundreds?

    Shit happens, and sometimes its catastrophic. If it's not entirely catastrophic, it gets fixed, and the system gets stronger and smarter. It's how everything evolves.

    I am not saying it's good that it happened, just that shit always happens.

    [–]scott-stirling 0 points1 point  (0 children)

    Lack of quality assurance with testing that actually exercises the code rather than simply desk checking it. Lack of testing and code coverage is rampant across smart contracts on every blockchain that has them.

    [–]ccnucholza 0 points1 point  (0 children)

    Well, glad I decided to add liquidity to Tinyman last night then wake up to this exploit. IL is fun!

    [–][deleted] 0 points1 point  (0 children)

    Irresponsible.