Beginning on the 1st of January 2022, an attack was orchestrated by unauthorized users on some of Tinyman’s pools by exploiting a previously unknown vulnerability in the Tinyman contracts. The exploit resulted in a drain of certain ASAs in the first hours of attack which led to increased volatility in the immediate aftermath.
As the Tinyman team, we’d like to express our deepest regret and concern over the events that transpired. We apologize to our community for the inconvenience and their losses. We started working on plans to compensate the Tinyman community and will make this community prosper again. Users affected by this event will be reimbursed by the protocol. We are here to help and grow Algorand and get stronger by doing the right thing.
BASICS OF THE INCIDENT
Although the Tinyman team is still investigating the issue to leave no stone unturned, we have found the first evidences that may shed light on the incident. Without going into the technical details of the attack, we’d like to share our first findings.
According to the Algorand chain records, the first perpetrators activated their wallet addresses and deposited a seed fund for the hack. This is the transaction that shows their first deposit
https://algoexplorer.io/tx/65AYHK27CR6OXLN6WXOAAJBS6JL37LOB7LPZN5ZF3H3CQHR6FZBQ
To carry out their attack, they began transacting with the targeted pools and swapped a portion of their funds to acquire ASA ID: 386192725 (gobtc) and minted some Pool Tokens. Up until this stage, the perpetrators made sure that they had the first funds to begin their hacks.
The account’s first attack was this transaction group:
https://algoexplorer.io/tx/group/KbOlFc02lRAonvc4yfgpI%2FfkNrlP2FDHGX1ESAF2lvs%3D
As can clearly be seen, the attacker exploits an unknown bug in the burning of Pool Tokens and receives two of the same Assets instead of two different Assets. This worked in favor of the attacker since the gobtc asset was significantly more valuable than ALGO, which they immediately swapped against ALGO to receive more funds to continue their attack.
In a series of transactions, the attacker went on to consume the gobtc and goeth (ASA ID: 386195940) pools over 17 transactions and removes a sizable amount of value. This value is estimated to be around 3 million dollars at the time of withdrawal.
The perpetrators’ next set of actions shows how they swapped over pools with stablecoins to extract most of the value and withdraw these assets to other on-chain wallets and recognized centralized exchanges.
Unfortunately, all these transactions left behind a stolen sum of money from various users. As first reports began flocking to our social channels, we pinpointed the attack and started studying its extent.
As the investigation continues, our findings suggest that there are many wallets that are now exploiting this bug, and we have evidence that those people can be held as culpable as the first attackers. For all the white-hat hackers who are trying to support us, we advise them to simulate their actions on testnet where the funds aren’t real and the operability is completely the same.
WHAT IS GOING ON WITH TINYMAN NOW?
Since the contracts are permissionless, not even the Tinyman team has the power to obstruct any kind of transaction on the blockchain. So, as a first step, a formal announcement was made on 02.01.2022 to all Tinyman users recommending to pull out all their liquidity from all Tinyman related contracts. Moreover, all the adding liquidity routes in the web app were deleted and necessary warnings were placed on the website to protect our community.
When the attack began, total liquidity in Tinyman was around 43 million USD, only to be reduced to around 20 million even hours after the attack. Following our advice, projects and users have begun removing their liquidities, which brought the total number down to 5 million USD. It is crucial to realize that the difference between the 43 million USD and the current number is not a lost amount, a huge portion of this amount was reclaimed by the users and is totally safe in their wallets.
We are continuing our investigation to resolve the issue, with a plan devised to cover all different aspects and show a clear pathway about our next set of actions. In the meantime, we keep our ears and eyes on the Tinyman socials for all those that require assistance or may contact us to help us.
NEXT STEPS
Within the next couple of days, we will publish our technical report about the issue to cover all the details about the incident, including the details of the events that transpired or are happening even right now. We want to reassure our community that with this report and with our further communication, Tinyman team will establish full transparency in addressing, understanding, and resolving the incident.
The team has already started creating multiple roadmaps to restart Tinyman protocol. The current roadmap is to fix the smart contracts and publish them asap with help from Runtime and our community. We plan to get the protocol up and running within this week so the ecosystem can rebalance itself. Our next steps will also include publishing the damage report and helping recover the lost funds to our affected users. In the meantime, we are collaborating with law enforcement agencies to find more information about the perpetrators. We are in communication with 3rd parties that the attacker address has interacted with, so we will be able to share details on that end when we have more information.
We will try our best to be transparent and communicate all of our actions moving forward. We also should remind our users that their wallets are not compromised by interacting with the Tinyman contacts. If you have removed your liquidity then your funds are safe.
ON A FINAL NOTE
Since the moment of the attack, we have received tremendous support from the community and the Algorand ecosystem. We’ve been in constant communication with most of the teams in the ecosystem, which have been crucial in helping out with understanding and resolving the problem. We have been in touch with many of our LP’s — Borderless, Arrington, and Meld. It is humbling to get their support during this time and we would like to thank the teams of Algomint, Algofi, Yieldly, Headline Crypto, Tinychart and many of our community members who stepped up to show support and help understand the issue. This shows us that the Algorand ecosystem is strong and will bounce back from this stronger than before. As we collaborate and learn more, we will only get stronger.
Finally, we’ve also been in touch with Algorand Inc, and Algorand Foundation who have expressed their support, as we have more details we’ll make sure to share them and our community to make sure Algorand ecosystem recovers from this while being completely transparent, putting our users' needs at the center of our efforts.