Posts

The MyAlgo attacks have so far been clustered around three distinct waves, roughly corresponding to these dates: First Wave: February 20, 2023 Second Wave: March 5, 2023 Third Wave: March 6, 2023 This article presents data from the initial wave - February 20 - as well as subsequent movements of stolen funds during March 5th. Wallets attacked on March 5th are not included. Aggregates and Addresses In the first wave, 24 addresses were impacted for the following aggregate losses: 16,964,466.38 ALGO 3,440,465.51 USDC 1,515,710.00 OPUL 800,000.00 gALGO 1,237,828.90 COSG 40,252,507.58 goMINT 230.37 goETH 15.85 goBTC 2,713,794.69 BANK The approximate value at the time was $9.4MM. The impacted addresses are: ...

Summary: There is a non-zero chance of a MyAlgo wallet software compromise leading to the theft of at least $7.2m worth of assets on the Algorand blockchain. We recommend rekeying MyAlgo accounts to fresh private keys, or simply moving funds where possible. This precautionary remediation of further risk should not have usability impact and, if done carefully, may have a significant security benefit.\ We have been day 1 responders to these attacks: reporting the potential compromises, organizing affected users, systematically collecting as much information as possible in order to find a possible common vector, suggesting actions to be taken, preparing transaction trail documents for authorities. This case quickly grew with multiple confirmations and more discoveries daily. ...

TL; DR: We tested Algorand with end-user-identical AMM swaps: 8,070 in a 3 second block. Our friends at Vestige.fi recently performed a benchmark of AMM swap performance on Algorand MainNet. While the results were great (2881 peak swaps per second), some naysayers missed the forest for the trees with complaints about the methodology being synthetic. The methodology by the Vestige team was: "We sent 353 groups of 85 swaps totaling 90368 transactions / 30005 AMM swaps. Algorand therefore handled 30005 AMM swaps in ~15 sec, or about 2000 swaps/s. If we discount the last ~500 swaps in the 806 block we instead get 29500/11 sec = 2680 swaps. If someone smarter than me has data on block times we could do better calculations, in case blocks were delayed or so. " "all transactions were made from https://allo.info/address/SWAPVMWRFIIY2L5V2JEWXIE7TLSOCUJP4BJYMAM65VBMRXHHE24GBMMPYM which called the app 1000469889 which does 85 swaps in inner transactions (255/3)" On Algorand, inner transactions are transactions initiated by a smart contract. As such, they don't need to come with a signature attached - the outer transaction call's signature suffices. ...

Running an Algorand consensus participation node requires a bit of patience and a bit of hardware. Unfortunately, consensus participation currently isn't rewarded by the network - only by our conscience! Most cloud providers do not accept conscience bucks, so we will do what we can with free offerings. The Oracle Cloud has an "always free" tier which includes good-enough virtual servers for our purposes. Traditionally this is where I state my affiliations and paid promotions, but there are none in this case. I am a happy Oracle free tier user and that's it. No money has exchanged hands for the production of this article. There is one minor gotcha which I will treat as a cliff-hanger for now. ...

As a follow-up on our report on Voting Power Centralization in Governance Period 4 we decided to look into known addresses from the governor whale list, as well as their consensus participation status. In case you missed it and can't be bothered to check, we defined "whale wallets" as single-entity governors that have committed at least 1 million ALGO and are still eligible. We excluded the top governor - Folks Finance - as their vote is decided by Folks protocol users. ...

Overview We analyzed the top eligible wallets enrolled for Algorand Governance Period 4 as of August 21, 2022. The data shows a very "whale" heavy distribution of voting power and rewards, where the top 37 individual "whale" wallets control the vote and reap 50% of rewards, and wallets with over 1 million ALGO commitment control 86% of the vote and rewards. Data Sources To get our raw data, we used two different data sources and correlated them to confirm correctness: ...

TL;DR: Maximizing our vaulted ALGO with borrowed ALGO yielded more than 2x in governance rewards profit. For the third Governance season we tried the AlgoFi vault for Governance: AlgoFi counts vaulted Algo as collateral that you can borrow against. Borrowing Algo against your vaulted algo has two advantages: You can add the borrowed algo to the vault, thus increasing your collateral and ability to borrow more Algo. You are not exposed to liquidation danger due to price fluctuations between your collateral and borrow value, as they are the same picture price. Your risk in this scheme is essentially confined to smart contract risk: AlgoFi vault contracts failing either catastrophically (entire vaulted amount lost) or partially (inability to vote and/or claim rewards). This was palatable to our risk tolerance considering AlgoFi's reputation and audits, so we tested it out on a few accounts. ...

To celebrate Algorand MainNet's third birthday on the 11th of June 2022, we set up a mini-project consisting of a countdown timer to the big day: is it algorands birthday dot com and a midi project that will be revealed there on Algorand's big day. We picked June 11 from Block Zero's timestamp on MainNet: "2019-06-11T00:00:00Z" At midnight the countdown will transition to a web2.0 celebration extravaganza. CSS3 is definitely invited, and even 3D may make a cameo. ...

So you want to do High Availability Algorand stuff. But algod, your trusty portal to and from the Algorand blockchain, can betray you in a number of ways: It can go down for upgrades. algod must be up to date to keep syncing. It is recommended to set up a cron job to attempt to update algod every day. This will usually include some downtime we\ think It can go down for not upgrading. We had a (non-production) algod which got stuck on a particular block. After looking into it, it was a couple of versions old, and after a pre-agreed-upon round, it just stopped syncing. Updating was quickish - the update script worked great, but it did require some time to migrate/rebuid some index files to the latest version. It can get stuck, or be left behind, because software is hard, complicated and unpredictable in fascinating ways. We are building a bunch of stuff on Algorand, and one of them definitely requires H/A - the AlgoFi Borrow Utilization Monitoring Service. This puppy will keep track of every AlgoFi account's utilization percentage, as well as the AlgoFi oracle lending prices, in order to calculate borrow utilization and notify users when theirs exceeds whatever threshold they have specified. We want this done at every single block, 24/7/365, guaranteed. ...

Following a positive response to a reddit post I made about the need for an AlgoFi borrow utilization & liquidation notification service, Hellen and I started looking into AlgoFi blockchain data relating to lending & liquidations. We prepared a nice spreadsheet with every single liquidation, as well as some nice stats. What's a liquidation? When you take a loan out on AlgoFi, if your collateral's value drops to be worth less than your maximum allowed borrow value*, your account can be liquidated. ...