Tinyman Liquidity Hack

    At the start of the new year Tinyman was hacked for approximately $3 million worth of liquidity(at the time of the attack). The wallet that initiated the hack was RJROFHHDTCMDRCPYSBKN2ATSKZAPOPEV3KWR3IQEOIZMMZCPMMCEUTXGG4(https://algoexplorer.io/address/RJROFHHDTCMDRCPYSBKN2ATSKZAPOPEV3KWR3IQEOIZMMZCPMMCEUTXGG4). The wallet was able to take advantage of a flaw in the goBTC(Asset_id: 386192725) and goETH(Asset_id: 386195940) pools on Tinyman, where when they burned their liquidity pair, they were able to receive exclusively goETH or goBTC instead of goETH/goBTC and ALGO. Here is the transaction Group ID of the first instance of the attack, KbOlFc02lRAonvc4yfgpI/fkNrlP2FDHGX1ESAF2lvs=(https://algoexplorer.io/tx/group/KbOlFc02lRAonvc4yfgpI%2FfkNrlP2FDHGX1ESAF2lvs%3D). Unfortunately, when others found out about this vulnerability they took advantage of it as well. Show how much goETH and goBTC stolen by each wallet that took advantage of this flaw. How much of the stolen goETH and goBTC has been swapped for other assets? What assets have the goETH and goBTC swapped for? How much of each asset has been swapped for the stolen goETH and goBTC?

    Introduction

    Tinyman is a reimagined decentralized trading protocol, utilizing the fast and secure framework of the Algorand blockchain to create an open and safe marketplace for traders, liquidity providers, and developers.

    On January 1, 2022, some of the Tinyman project’s pools were attacked. The attacker exploited a vulnerability in the Tinyman pools’ contract code that allowed them to receive the same token twice after a burn rather than two different tokens. This was to their advantage because it allowed the attacker to extract twice as much gobtc instead of a mix of gobtc and ALGO tokens. Since gobtc is much more valuable than ALGO, this allowed the attacker to make a significant profit and drain approximately $3 million in gobtc and goeth from the Tinyman pool over multiple transactions. These tokens were then swapped in pools for stablecoins in the major of the cases and withdrawn to other exchanges and wallets.

    In this article, we are gonna compute how much goETH and goBTC was stolen by each wallet, how much of them have been swapped for other assets and which assets have been swapped for.

    Methodology

    To do that, first of all we will need to filter the algorand goETH and goBTC transactions during the hack time. Then, from these transactions, we will need to extract the different wallets, and the amounts of each assets that where transacted (stolen) at that moment. I have computed both, the whole results and the numbers over time.

    Finally, to do the final task, we will need to do the same and then, filter the asset_transfer_transaction to see how much goETH and goBTC were swapped and for which assets.

    Results

    First, we are gonna see the results of goETH and goBTC stolen by wallet

    Loading...

    As a results, we can see that 4 different wallets stolen some goETH and/or goBTC. In fact, all of them stolen some goETH and only one of them, those who stolen more goETH, stolen as well goBTC. In total, this wallet stolen more than 140 goETH and more than 35 goBTC. The rest of the wallets stolen 34.73, 21.08 and 8.95 goETH.

    And what about the numbers over time?

    Loading...
    Loading...

    As we can see, each wallet acted in a short timeframe period. The first wallet that take some action (around January 1st 2022 at 19:03) was who stolen more goETH and the unique that was able to stolen goBTC. The other wallets stolen the assets on January 2nd between 2:02 and 8:40, and all of them stolen only goETH.

    Now, we are gonna proceed with the quantity of goETH and goBTC that have been swapped for other assets as well as for which assets have been swapped for.

    Loading...
    Loading...
    Loading...

    From the almost 205 goETH, a total of 59 were swapped for other assets, which represents a 29% approximatelly. A little bit more than 10 goBTC were swapped from the 34 in total, representing around 29-30% of the total.

    After assets were stolen, they were swapped bascially for ALGO and/or USDC, and a little amount were swaps from goETH to goBTC or goBTC to goETH. The ALGO was the preferred token with almost 500k ALGO received. The ALGOs were obtained in an equal portion from goETH and goBTC, and the USDC were fully obtained from goBTC.

    Conclusion

    To concluded, we have seen that a big Algorand platform where hacked with around 3M$ USD stolen from goBTC and goETH assets which were swapped for ALGO and USDC practically. The wallets involved were 4, with one of them who leadered the hack in terms of amount stolen.