Total funds lost

A total of 2.68 Million USD were lost to the exploit. All of this was made possible by exploited an unknown bug in the burning of Pool Tokens and receives two of the same Assets instead of two different Assets.

While the users RJROFHHDTCMDRCPYSBKN2ATSKZAPOPEV3KWR3IQEOIZMMZCPMMCEUTXGG4 started the hack, 10 more users continued the attack for the next few days.

Funds lost

We see that among the tokens lost to the exploit, 50% of the value was in the form of goBTC ( a wrapped version of BTC ) and 32 % in the form of goETH ( a wrapped version of ETH).

Akita Inu being the 3rd largest sufferer and aDOGE (woof woof) coming in fourth.

While the hack started by exploiting goBTC pools, it then moved on to goETH and then subsequently to other meme tokens . Akita inu and adoge ( meme tokens that go woof woof) happened much later on Jan 3 and 4.

Top hackers

User RJROFHHDTCMDRCPYSBKN2ATSKZAPOPEV3KWR3IQEOIZMMZCPMMCEUTXGG4 is the one who started the exploit and then the other proceeded. He himself made close to 2.1 Million USD of the hack. primarily focused on goBTC and goETH.

Top losers

AR6TJOX2SW37FVX2JVXQDM3TNUNMTOXZH2ROG5ZOHAD3FKP6GGHW2SVKMA was the creator of the goETH pool which lost close to 1 million usd

6HSDB262OTVTPDGTJHDWTQPG2W6QWWEM5HF56OTJG4YH6LACV4BOPCY5NQ was the creator of the goBTC pool which lost close to 1.42 Miliion USD.

Top creator addresses that lost funds

Badly affected wallets

We define users as people who lost money as users who were not able to withdraw the same USD value amount as they had deposited. And anyone who provided liquidity to the pool since the hack are considered as users who lost funds.

Funds lost by users = pool balance before hack - pool balance after hack.

NOTE pnl → profit and loss

user XHUGC3P6KDE5DEU477SM3VR5V4Z4VHENIEN2MTWR3QSVLQQPSG7QOOPSEI was the major loser here. losing close to 220k USD value and user 2J5KQTOWOFAUWTGGKGAXCYEEOR7OGZTY54EIY77LEV3G2TPVMX4LBI275A too lost close to 180k USD worth of tokens.

The users provided liquidity just before or after the hack happened which resulted them in

1. losing liquidity to hacker
2. or, being ineligible to tinyman compensation

Top losers and gainers in individual token

Use the dropdown to choose you token

The number of users who lost funds in the selected pool (goBTC) is 53.

top gainer

Individual user

Use the drop down to find the balance of the user you would like to analyse

Key takeaway

• 2.68 Million USD lost to 11 users over a period of 5 days.
• goBTC and goETH were the inital target and make up 80 % of funds lost.
• 1237 users lost money, highest loss being 220k USD.
• 55 users lost money goBTC.

Twitter thread:

Introduction

Beginning on the 1st of January 2022, an attack was orchestrated by unauthorized users on some of Tinyman’s pools by exploiting a previously unknown vulnerability in the Tinyman contracts. The exploit resulted in a drain of certain ASAs in the first hours of attack which led to increased volatility in the immediate aftermath. The attacker exploits an unknown bug in the burning of Pool Tokens and receives two of the same Assets instead of two different Assets. This worked in favor of the attacker since the gobtc asset was significantly more valuable than ALGO, which they immediately swapped against ALGO to receive more funds to continue their attack.

The perpetrators’ next set of actions shows how they swapped over pools with stablecoins to extract most of the value and withdraw these assets to other on-chain wallets and recognized centralized exchanges.

When the attack began, total liquidity in Tinyman was around 43 million USD, only to be reduced to around 20 million even hours after the attack.

Reference -

Methodology

1. To identify hacker activity -

   1. we identify all transactions that have burnt tinyman pool tokens
   2. identify the respective tx_group_ids
   3. identify the transactions that have received two same tokens (excluding algorand token) as this signifies hack
   4. perform visualisation on this data

2. To identify losers and gainers

   To identify losers, we first define the term losers.

   We define losers as users who provided x USD liquidity to the pool but could not (or removed liquidity) at a loss. we identify this by calculating the total amount deposited ( mint of pool token - burn of pool token) before the hack and again after the hack ( mint of pool token - burn of pool token ). The difference between them reveals the loss mounted by the user.

3. For the sake of this analysis, we restrict our time frame to 5 days of attack since 95 % of the value had been removed by then. User providing liquidity after the hack usually lost money to the hacker itself and was not eligible for the tinyman compensation. For analysing losses to end users, we consider a timeframe of 10 days.

Glossary

1. Creator address : The address that created the token and is usually the issuer/burner of these tokens.

2. Users : these are the end user addresses that individuals (or institutional wallets rarely) use.

3. hackers : Users who indulged in fraudulent activities and tried to receive 2 same tokens by burning LP tokens

   \

Conclusion

• 2.68 Million USD lost to 11 users over a period of 5 days.
• goBTC and goETH were the inital target and make up 80 % of funds lost.
• 1237 users lost money, highest loss being 220k USD.
• 55 users lost money goBTC.