How the Tinyman Exploit can Strengthen Algorand
Growing a Security Ecosystem on the Blockchain
When I went to bed last night Tinyman was a vibrant automated market maker serving the Algorand Community, by the time I go to bed tonight it will be an empty husk, devoid of its liquidity and nursing a decline in its reputation.
The debacle of the Tinyman exploit is not just a tragedy for the people who lost their hard-earned tokens to hackers today, if we learn nothing from it and continue on tomorrow as if nothing has changed it could be a huge blow for the entire Algorand Community.
The problem
The reason why it would be a tragedy if nothing was done to improve the security of dApps on the Algorand ecosystem is that this hack was inevitable and with no changes, it is likely that more hacks will take place, each one eroding trust in the entire ecosystem. This is not a matter of Tinyman being technically incompetent, or not doing as much as anyone else to ensure the safety of their users' funds — they successfully passed an audit and are well regarded. This is a systematic problem with which requires leadership from the Algorand Foundation to solve.
Bailouts (from the Foundation) are not the answer
Before I get on to what I think should happen I want to say why I would be uneasy with the Algorand Foundation bailing out dApps that are victims of a hack. This includes Tinyman or its users (or its for-profit VC backers) either in exchange for a stake in the platform or not.
Far from encouraging confidence in the blockchain, it would do the following:
- Throw good money after bad — Fewer funds for innovation means lower long-term growth.
- Lead to centralisation — if only the larger projects get bailed out then they will unfairly outcompete more competent smaller rivals.
- Introduce a moral hazard — Investors and dApps shareholders with artificially low risk will make poor decisions.
- Reduce the moral burden on thieves — Criminals should have to live without rationalizations that help them to sleep at night.
IMO It should be up to the shareholders of dApps to pay if LPs are bailed out.
A bounty program for whitehats
It seems to me like if this was a thing it could help incentivise people to responsibly find and report exploits like the one suffered by Tinyman so they can be fixed before LPs lose their money.
I hear some retort that projects like AlgoFi have bounty projects already, and I hear others retort that above I set my face against grant money being used to subsidise VC funded companies. If you are one of these voices I say that you are correct, however the aim of a generous security program would not be to save VCs the expense of providing their own security, it would be to:
- Incentivise more developers in the community to learn TEAL
- Bring more whitehats into the Algorand community
- Once each exploit is resolved to publish the details of each exploit and how it was found, fixed, and resolved on the Algorand Developer Portal to increase the expertise of smart contract developers.
In other words, the Foundation would not (just) be paying for the security of private investors, it would be increasing the availability of competent security-minded developers, auditors, and whitehats operating in the ecosystem.
OK… you say “but might you make the ecosystem less safe by encouraging free-riders to take fewer precautions at the expense of the Foundation?”
To avoid abuse it could only cover projects who have taken and are taking proper precautions at their own expense to protect their users such as undertaking an audit by a reputable firm(s).
Insisting on certain standards as a prerequisite to the award of a grant to a project
It seems to me as though the Foundation has a lot of power that it could exercise over projects at the grant phase of their development to commit to adhere to standards of best practice or openness. For example, they could incentivise (and fund) grant recipients to undergo a testnet bounty period for a set time before or after the audit of a smart contract where their TEAL and pyTEAL is published for full scrutiny, and all exploits and fixes are published on the Algorand Developer portal to further aid future development.
Give warnings
I asked myself earlier today whether in a few week's time after the Tinyman exploit is patched and AlgoDEX is successfully launched on mainnet whether I would rather provide liquidity to Tinyman, a dApp that recently got hacked, or AlgoDEX one not hacked but untested in battle….
The answer that seems most sensible to someone looking to stay invested in DeFi is that all DeFi users should be properly diversified and risk-aware. It's not glamourous but in traditional finance, disclaimers are common. There should be some sort of best practice published for a non-mandatory disclaimer attached to DeFi Investments warning people that their money is at risk, not to risk what they can't afford and that they should stay diversified.
In conclusion
The Algorand Foundation has been hugely successful in setting up the Algorand ecosystem for explosive and hugely exciting growth in its DeFi sector. Because of this, it needs to look at ways to grow a security-minded ecosystem that will keep pace with these developments.
Above were just a few suggestions on how I think the Algorand Foundation could do this. If you agree or disagree let me know, and also let me know if you have any other suggestions on how the ecosystem can improve the security of its dApps in the future.
Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing
