They can’t freeze it or stop it. That’s the point of defi. They don’t have ultimate control. No one does. They will create new lp pools and contracts and anything left in these old ones will be left behind




Every ASA with a vulnerable price/decimal was going to get drained. I'm surprised it took this long, I tried it on testnet nearly a day ago and it's really simple. I even considered doing it white hat but then decided against it, it's too much of a shitstorm to get involved in. IMO Tinyman should've done it themselves.


>IMO Tinyman should've done it themselves. Now that's honestly a great idea. They could've drain the pools themselves and send the coins to the providers' wallets...


Reddit idiots would scream centralized!!!


Maybe they already are.


Yeah, I am surprised they didn’t. From the outside it looks like the exploit is just fair game.


Disclaimer: I have little knowledge of legal ramifications in the crypto space. They may have had legal concerns with doing the exploit themselves. As long as someone else drained their pools, Tinyman likely has no legal liability to people who lost money. It is just the risk of DeFi. But if they drained the pools themselves, they may have liability. And it could open the door to litigation. Look, I know Tinyman plans to reimburse people who lost funds. But they can decide how to identify those who lost funds and determine how the reimbursement will look. If they open the door to litigation, they may not have control over those decisions. And they could face lawsuits in different countries with different rules. Simply put, by damaging investor funds, they may be vulnerable to lawsuit, even if the underlying purpose of doing so was "good."


Look through their history. They've transfer out at least 80K of ALGO.


I followed a few txs and It seems to run back to this wallet: S4VSRVAWLS224QHK2OFZJZBM4HLBQLKS5RE6LDM3R3KHGIKWWERNE3QHPU Which moved huge chunks to binance.




So maybe I’m not big brained enough to understand, but the exploit targets the LP pools, correct? Why not just freeze adding or removing from the pools entirely instead of draining the pools.


SCs are immutable, permissionless, and censorship resistant. This is a feature of defi protocols, not a bug. When Tinyman eventually disable trades on the website, anyone can still sign transactions directly on chain. There is nothing Tinyman, Algorand, the government, or anyone can do to change the SCs or stop people from interacting with the protocol. There is no freeze option. There is no blacklist address option. This is why it is advised to pull all liquidity. As the only way to go forward is by moving funds to brand new pools with new SCs.


Awesome answer. Thank you for clarifying.


Thats a rock fact^100%


Tinymans contracts don’t have those features. If they want to change/do something they have to make whole new contracts.


Is freezing/blocking certain addresses possible in blockchain technology?


That would require centralization, which defeats the purpose of DeFi.


Yeah that's what I thought? Was just in response to OP saying Tinyman should block the address


You could build it into the smart contract code actually. I made a defi app that let me ban addresses. It would just store the addresses in the smart contract and if the address tried to call the contract it would fail. Never used it tho.


The issue is it doesn’t matter how many decimals or the value of the token. The exploit allows them to specify any IDs as all both tokens getting returned. They specify the TMPOOL tokens to be returned. Essentially owning more LP tokens allows them to drain the liquidity.


Anyone know how much total money or ALGO they’ve drained?


If i had to guess maybe 3M total. Remember they wasn’t the only one. Once the exploit was released other hackers also jumped on the bandwagon. As well as other users who saw assets undervalued. Some lp’s got scared and left money on the table in the rush to get out and cut their losses. Either way damage is done. What’s left on tiny man are scraps. Liquidity right now is around 1M. Down from 42M. That’s a huge drop.


I read from Tinyman’s medium article that there was $40M worth of liquidity prior to the exploit and now there is less than $2M. . . Not all of that was the scammers since they told everyone to pull LP, but I’d guess a few million for sure.




When will the new contracts release?