Full Technical Report on Attacks

Tinyman’s Technical Report About the Hack

We are happy to announce that we have completed compiling all technical reports about the exploits in the Tinyman v1 pools.

In our previous report, we have detailed the findings of the highest damages suffered during the first wave of attacks, which also was found to constitute the largest portion of holdings lost by all pools. To recap, the first wave of attacks was orchestrated by 4 wallets on goBTC/ALGO, goETH/ALGO pools and drained about 1.8 M USD of funds from these initial pools.

What followed the first wave was a set of other criminal wallets jumping in to repeat the exploit, implementing it on other ASA/ASA pools as well as ASA/ALGO pools. This “second wave” of attacks, as we call them, started infiltrating all the pools to drain funds wherever it is plausible to steal the assets. The incentive for attacking the pools was determined by the exchange ratio(price) and the micro-units representation of the underlying assets.

This second wave of attacks also saw the exploit being implemented in minting LPs, which was a function of Tinyman’s v1 contracts that allowed users to add liquidity to pools. This particular exploit implicated that the attackers could actively begin changing the asset ratios in the pool to alter the price. Bringing together all the exploits and calculations of the ratio of assets in the pools, hackers introduced bots to outpace the LPs being moved away as well as each other in order to drain as much funds as possible.

Although these perpetrators were quite adamant in developing more tools to diversify their strategies, fast response from the community has left behind very little for them to take away. This led to a high amount of hostile transactions walking away with minimal damage. Most of the ASAs that were drained during the second wave of attacks were consequently swapped on the spot to get ALGOs out of the shallower pools in spite of the huge price impacts. As a result, the hackers walked away with less ALGOs than the total damage amount the pools have suffered.

Results show that more than 95% of the damage was inflicted within the first 48 hours and the overall impact diminished as hours passed by. In total, 14 hostile wallets have targeted 57 pools with 583 malicious transactions in the span of about 4 days. This report stops calculating the damages at the end of the 5th of January, as the damages became insignificant and bot activity became very common. The attacks still continue today without having a material monetary effect or any kind of impact on an ASA.

We found that the total stolen funds are worth 2.9M USD.

Our calculations assume exchange rates defined at the last transaction before the malicious attacks and an ALGO/USD price of 1.77, a rate in the standard market conditions at the time of the attack. It neglects all price impacts attackers suffered due to their bulky swaps in shallow pools.

In the link below, you can check out the final results for these 57 pools.

Note that we employed two very similar methods of calculations.

The first calculation method is

Stolen Amounts = (Attacker Burns - Attacker Mints)

As the attackers use fraudulent burns and mints to drain funds from the pools, the difference yields the net amount stolen.

The second calculation method is

Stolen Amounts = (Attacker Burns - Attacker Mints) + Redeems

Attackers’ burning and minting operations leave behind a redeemable amount in the pools, which were claimed via subsequent transactions. However, because the attacker also carried out swaps in the same pools, determining the origin and hence the share of the malicious redeemed amounts become very complicated. So, in the second method, we included all the redeemed amounts (malicious or not) and added them to damages inflicted, which in theory should only be a certain percentage, different for each case.

This is the last report we are going to publish about the hacks. We will continue monitoring the pools to gather more insights and start the calculation of losses of each LP for the upcoming compensation stage. We are aware that there are still new pools and attacks after the 5th of January, but all new reports will be created only internally to facilitate moving onto the next stages.

If you want to share your opinion or additional findings of the incidents, you can contact us through our socials. We are always looking for your contribution and your invaluable support.




Telegram Announcements




Tinyman is a re-imagined decentralized trading protocol that utilizes the fast and secure framework of the Algorand blockchain