We made our first announcements and explanations about the incidents that began on 01.01.2022 in our previous blog.
Since the first exploit took place, more addresses began copying the exploit on numerous pools; however, we have observed that these secondary exploits are hurting only a limited number of users and pools. It is clear that the first wave of attacks did the most significant damage.
This particular report is prepared to give more technical insight into the initial and biggest attacks of the incident, which are also the attacks that made the most impact. In addition, we will detail the amounts extracted from the pools, the number of transactions, and the current whereabouts of the stolen funds.
Some of these accounts have contacted us to cooperate and return the funds. We appreciate this behavior which helps those who suffered. We will give more information about these collaborations later.
Our first image gives a clear picture of the first attacker's behavior.
The wallet RJROFHHDTCMDRCPYSBKN2ATSKZAPOPEV3KWR3IQEOIZMMZCPMMCEUTXGG4 with a holding of only 88.57 ALGOs was funded from Kucoin just before moving on to operating his malicious code starting on Sat, 01 Jan 2022 19:03:23 GMT. In a series of 16 swappings, minting and burning transactions, the wallet holder carried out 3 attacks on goBTC/ALGO pool (ASA ID: 386192725) and 2 attacks on the goETH/ALGO pool (ASA ID: 386195940), in that order.
As a result of these attacks, both pools lost a total of:
At a current valuation of 1.8 million USD
The first attacker carried out the attacks in a little over an hour and began withdrawing the stolen funds to other wallets, AlgoFi lending protocol, and a well-recognized Central Exchange. This list gives an idea of the current allocations of the stolen funds:
Most of the damage suffered during the last 4 days was done by this single hostile user. Our estimations indicate that around 70% of the total damage is directly suffered due to this single wallet holder's malicious activities.
Here is the detailed list of transactions carried out by the first attacker.
Second and Third Perpetrators
The second wallet is presumed to be a single individual as the exploit is done from a wallet believed to be personally used before the incident. On 02 Jan 2022 02:02:24 GMT, around 6 hours after the initial wave of attacks ended, the second wallet registered only 1 attack on the goETH/ALGO pool. There are 6–7 days between mint and burn operations. After seeing the original hack, we extrapolate that the account realized the issue and wanted to seize the opportunity. This wallet did damage of:
8.955 goETH at a current valuation of 30k USD.
15 minutes after the second wallet's activity, a third wallet — funded 2 months before carrying out the attacks, began attacking the same goETH/ALGO pool. The third wallet registered 6 attacks in a series of 38 transactions in 2.5 hours and did damage of:
At a current valuation of 112k USD as detailed below.
These two accounts have cumulatively caused 160k USD of damage to the goETH/ALGO pool.
The fourth wallet followed suit shortly to exploit the same vulnerabilities, removing:
At a current valuation of 68k USD.
Total Damage of the Biggest Attack and First Commentary
The most considerable damage was caused by these 4 accounts and resulted in around 2 million USD loss.
These attacks occurred in the first 12 hours of the incident and affected about 250 users with holdings in goBTC and goETH.
We have seen a drop of the Total Value Locked (TVL) from around 43 million USD to 21 million USD 12 hours after the initial attack, the majority of which was removed to the safety of the authorized wallets. The community's swift reaction and appropriate placements of warnings have led to a fast response to save between 90–95% of the total liquidity in Tinyman.
We have also made significant progress in our overall investigation, which details every malicious attempt at the pools and their corresponding damages. As the first attack method became public, more (but, to our delight, not many) hackers began copying the hack and initiated attacks on smaller pools with the same vulnerabilities.
Up until now, our on-chain observations show 43 pools affected by 360 malicious activities. Only 13 unique addresses carried out these attacks, some of which may have begun implementing bots to carry out automatic attacks.
Our investigation is still ongoing as the attacks also still ongoing, and we'll give updated reports on all the pools that have suffered.
Currently, our team is working on two major tasks. The first is updating our smart contracts, which we are happy to say have been completed and sent to 2 audit firms who are working hard to make sure there are no vulnerabilities to exploit. Once we get the green light from the auditors, we'll be deploying the updated contracts on testnet.
At this point, we'll kick off a $100,000 bounty program with a tiered structure. We are looking forward to seeing our community stepping in and helping us make sure we are all confident before the mainnet deploy.
Moving onto the burning question of when we'll be back online, we can't give any exact dates since we don't have all the information yet. What we can say is, assuming everything goes according to plan, we can be online as early as the week of Jan 17–23. Obviously, if there are issues in the new smart contracts uncovered during the internal or community audit phases, this timeline can shift. Our focus is to ensure trading can start as soon as possible so projects and communities can return to business as usual.
The second task is to compile all the data on how the community was affected. Our first priority is to take care of our users who lost funds, ensuring we know who those users are and how much was taken. We plan to pay back these users in full. These users were mainly in the top 4 pools mentioned in the report above. The following steps will be to concentrate our efforts on understanding how this event affected the ecosystem. This is a much more significant challenge. We are thinking about different solutions to how we can make the community whole again, but it will take time.
We are dedicated to doing our best to reward all of our users with the launch of our token. We are thinking about special reward programs that only wallets that had LP positions at the time of the attack can join, making sure the rewards go to the right hands.
Essentials for our community
We'll continue with our work and update the community as much as possible. You can reach us on telegram or discord. Thank you for all the support; it means a lot and gives us the strength to push harder.