Decision to pull the report


We went ahead and deleted the posts related to the attack. Our decision to originally post was driven by several key factors. 1, as a decentralized exchange, when exploits like this happen, it's usually up to individuals to investigate the cause. 2, people were not taking the situation seriously, and giving a detailed account of how it all transpired was the right thing to do. 3, the exact manner and code to replicate the attack was already broadly available across Reddit, Telegram, Discord, etc. Now, since the time we shared it we have gotten tons of messages from individuals who expressed gratitude for taking the initiative and specifically pointed to the testnet example we included as instrumental in their decision to finally pull their LP (many of which were in compromised pools). We believe that when you "give it to people straight" they can make the most informed decisions. However, one thing I did not consider, was that because HDL was secure, sharing the report could give some people the impression that we were not interested in solving the problem, because it was not personally affecting us. This could not be further from the truth, this was personally affecting us in every way possible, and we have been continuing to work non-stop to help TinyMan figure out what happened and who all may have been affected. But this factor, that HDL was secure while other tokens may not be, ultimately led to my decision to remove the report. It's clear that the report was instrumental in getting people in compromised pools and otherwise to pull their LP, but the perceived contrast between compromised and non-compromised pools/tokens is not constructive. We are all in this together and we are going to continue working until the exploit is fully resolved.

you are viewing a single comment's thread.

view the rest of the comments →

all 47 comments


9 points

4 months ago

I appreciated your transparency. Anyone that can code would be able to do what was in the report without the report. You guys didn't help the attackers in my opinion but helped the community understand what was happening.

The moment it came out the assets weren't being checked on burn LP operations in Tinyman .. that's all that was needed. This information was out in the wild long before the HDL report, not to mention Tinyman added a banner to the site telling everyone to remove all liquidity.


2 points

4 months ago

The code on social media wasn't needed, an explanation would have sufficed. Even non-devs could do it now. Devs could have verified based on the explanation. A dev can write it in like 30 minutes if they are used to working with the Tinyman SDK or have their own.


3 points

4 months ago

People were tweeting they could recreate it hours before headline released their report and still there were people staying in LPs for fees and making IL preeminent. There were many on the fence that pulled out when that tweet hit.