Thoughts on "a" musing on the pond: Dynamic supply for Algorand
The “Musings on the pond” article lays out a thought-provoking proposal for a deep intervention in Algorand’s economics. If you have not read it, it is well worth putting it at the top of your reading list and getting to it soon - even now, in fact: if you have the time, go read that first. Among the proposed interventions is a set of changes to the minimum transaction fee, block rewards and fee burns that would alter the fixed nature of the total supply of Algorand....
Disclosure Tales 02: Downward Facing DAOs
I discovered and disclosed a vulnerability in the Updog and FAME DAO contracts. Then I hacked them. This story is not boring. Background: The DAOs Updog offered a fully featured DAO platform. In a nutshell: Each DAO instance has a governance token that can be staked and withdrawn. The DAO contracts could control assets and ALGO. Payments of both types could be executed trustlessly after a proposal passed with enough votes....
Disclosure Tales 01: Honing Fire
I discovered and disclosed a vulnerability in the Hone NFT shuffle contracts. They responded well. This story is almost boring. The backstory I was curious about the mechanics of the Hone NFT shuffle, as it utilizes VRF, in which I have a keen interest. Reading TEAL is a bit like reading assembly, but with enough determination and a bit of practice you can figure out what a contract is doing....
Set Up Voi Participation Node on Ubuntu 22.04
This article will guide you through setting up a Voi participation node on the latest Ubuntu LTS (22.04). It assumes you start with a local or remote (server/cloud) installation. Version 20.04 should also work, but is not tested extensively. This guide is only suitable for x86 architecture machines as it relies on the Algorand repository, which does not publish packages for other architectures such as ARM64. ⚠️ Do not follow this guide if you are running an existing Algorand node on the same server, at it will likely overwrite your Algorand installation....
Implementing an on-chain VRF shuffle for EXA Lootbox Reveals
Following a brief partnership during CupStakes - where EXA.market was our official secondary marketplace - they commissioned me to implement the smart contracts that would power their rewards program. As a new marketplace in the Algorand ecosystem, EXA wanted to incentivize users to trade on their platform. Users were rewarded with “Lootbox” NFTs for using the platform. After the lootboxes were distributed, we revealed that there were two more kinds of lootbox users could get....
Redundant Participation Nodes on Algorand
⚠️ Article content under review. Check back later.
MyAlgo hack: Fifth Wave - Addresses & Data
The MyAlgo attacks have so far been clustered around five distinct waves, roughly corresponding to these dates: First Wave: February 20, 2023 Second Wave: March 5, 2023 Third Wave: March 6, 2023 Fourth Wave: March 17, 2023 Fifth Wave: March 31, 2023 This article presents data from the fifth wave - March 31 - as well as subsequent movements of stolen funds. Summary The attack was automated and ran for 14 hours - from 2023-03-31 10:15 (GMT) until 2023-04-01 00:25 (GMT)....
MyAlgo hack: First Wave - Addresses & Data
The MyAlgo attacks have so far been clustered around three distinct waves, roughly corresponding to these dates: First Wave: February 20, 2023 Second Wave: March 5, 2023 Third Wave: March 6, 2023 This article presents data from the initial wave - February 20 - as well as subsequent movements of stolen funds during March 5th. Wallets attacked on March 5th are not included. Aggregates and Addresses In the first wave, 24 addresses were impacted for the following aggregate losses:...
Preliminary Advisory Report - Algorand 20-02-2023 Thefts
Summary: There is a non-zero chance of a MyAlgo wallet software compromise leading to the theft of at least $7.2m worth of assets on the Algorand blockchain. We recommend rekeying MyAlgo accounts to fresh private keys, or simply moving funds where possible. This precautionary remediation of further risk should not have usability impact and, if done carefully, may have a significant security benefit.\ We have been day 1 responders to these attacks: reporting the potential compromises, organizing affected users, systematically collecting as much information as possible in order to find a possible common vector, suggesting actions to be taken, preparing transaction trail documents for authorities....
Benchmarking Algorand AMM 1:1 real world swap performance
TL; DR: We tested Algorand with end-user-identical AMM swaps: 8,070 in a 3 second block. Our friends at Vestige.fi recently performed a benchmark of AMM swap performance on Algorand MainNet. While the results were great (2881 peak swaps per second), some naysayers missed the forest for the trees with complaints about the methodology being synthetic. The methodology by the Vestige team was: "We sent 353 groups of 85 swaps totaling 90368 transactions / 30005 AMM swaps....