Introduction

• What happened in Tinyman Hack?

  • Below is a summary on Halborn:

  > The Tinyman hack was enabled by a flaw in the project’s smart contract code.  When a user calls the protocol’s burn function, they should receive two different types of tokens in exchange.  The amounts of each token depend on the amount stored within the protocol. > > The attacker exploited a vulnerability in the Tinyman pools’ contract code that allowed them to receive the same token twice after a burn rather than two different tokens.  This was to their advantage because it allowed the attacker to extract twice as much gobtc instead of a mix of gobtc and ALGO tokens.  Since gobtc is much more valuable than ALGO, this allowed the attacker to make a significant profit and drain approximately $3 million in gobtc and goeth from the Tinyman pool over multiple transactions.  These tokens were then swapped in pools for stablecoins and withdrawn to other exchanges and wallets.

• In this dashboard, let’s examine the impact of the hack.

• There is a list of all wallet addresses impacted by this hack at the end of this dashboard.

• To export the list as in CSV, click the 3-dot button at the top right corner of the list.

Structure

• How did the hack happen, exactly?
• Total loss from the hack
• Activities of impacted LPs
• List of impacted LPs
• Key highlights

How did the hack happen, exactly?

Mint: mint Pool assets in exchange for transferring assets to the Pool account.

Burn: burn Pool liquidity assets in exchange for removing assets from the Pool.

According to Tinyman’s docs, normally, when a liquidity provider (LP or pooler) burn a Pool (with asset 2 is Algo) liquidity assets in exchange for removing assets from the Pool, the following events happen in time ascending order:

1. Pay - pay fees in Algo from Pooler to Pool
2. AssetTransfer - Transfer of asset 1 from Pool to Pooler
3. ==Pay - Transfer of Algo from Pool to Pooler (with the same value to the asset 1’s value in event 2)==
4. AssetTransfer - Transfer of liquidity token asset from Pooler to Pool

However, hackers were able to change event 3 to be the same as event 2 with different amount, thus the following events happened:

1. Pay - pay fees in Algo from Pooler to Pool
2. AssetTransfer - Transfer of asset 1 from Pool to Pooler
3. ==AssetTransfer - Transfer of asset 1 from Pool to Pooler (with much larger amount than event 2’s amount)==
4. AssetTransfer - Transfer of liquidity token asset from Pooler to Pool

Below are examples of a normal burn and a hack burn, you will see the difference at the event no.3.

In the hack burn example above, the hacker got 30.61 (2.34 + 28.27) goETH instead of 4.68 worth of goETH (2.34 goETH + 2.34 goETH in Algo). → ==the hacker gained 6.5x (30.61 / 4.68) from the hack example.==

Total loss from the hack

Methods

To calculate the loss from the hack, I use the same method as in the hack example above (i.e. the difference between total value in event no.3 in all hack burns and total value in event no.3 in all hack burns if they were normal burns = total value in event no.2 in all hack burns).

The hack by hour

• TinyMan lost approximately $2.06M in total from the hack, 60% from goBTC & 40% from goETH.
• 1 hacker gained approximately 30.9 goBTC in 2 burn transactions.
• 4 hackers gained approximately 185 goETH in 14 burn transactions.
• 2 hackers executed 3 burn transactions and gained approximately $1.3M (30.9 goBTC and 25.9 goETH) or 64.6% of total loss happened in the first hour at around 19:00 UTC Jan 1, 2022. The hack lasted until around 11:00 UTC Jan 8, 2022.

Activities of impacted LPs

Methods

• To find LPs impacted by the hack, I extract all LPs still had liquidity in 2 pools Tinyman Pool goBTC-ALGO and Tinyman Pool goETH-ALGO right before the hack (pre hack).
• I also track their mint, burn activities during the hack.

Tinyman Pool goBTC-ALGO

During Hack

During Hack

Pre Hack

Tinyman Pool goETH-ALGO

Pre Hack

The goBTC-ALGO pool**,**

• Before the hack,
  • 222 LPs minted $3.43M in 447 transactions. Of 222 LPs, 107 LPs burned $327K in 183 transactions. → Net $3.1M liquidity added in the period.
  • Nov 23 & Dec 8, 2021 account for 92% of total mint liquidity in USD.
• During the hack,
  • Of 222 LPs minted before the hack, 8 LPs minted $228K in 22 transactions. And 89 LPs burned $49K in 220 transactions. → Net $179K liquidity added in the period.
  • Jan 1, 2022 account for 92% of total mint liquidity in USD.

The goETH-ALGO pool**,**

• Before the hack,
  • 154 LPs minted $1.44M in 217 transactions. Of 154 LPs, 48 LPs burned $153K in 93 transactions. → Net $1.29M liquidity added in the period.
  • Dec 10, 14, & 28, 2021 account for 83% of total mint liquidity in USD.
• During the hack,
  • Of 153 LPs minted before the hack, 2 LPs minted $41K in 2 transactions. And 10 LPs burned $122K in 10 transactions. → Net - $81K liquidity added in the period.
  • Jan 1, 2022 account for 99.99% of total mint liquidity in USD.

List of impacted LPs

Methods

• To calculate how much value the LPs had on Tinyman, I extract their liquidity provided in all pools on Tinyman up to the hack.
• To calculate how much each LP lost in the hack, I allocate total loss to each LP by their % share in total liquidity right before the hack:
  • % share in total liquidity = LP’s net (mint - burn) liquidity asset amount / total net liquidity asset amount in event no.4.

Result columns are:

• Total Liquidity $ Amount for how much value each LP had right before the hack.
• LP Total $ Loss Amount for how much each LP lost in the hack.

To export the list as in CSV, click the 3-dot button at the top right corner of the list.

Distribution of LPs by Liquidity in USD Bucket Pre Hack

Tinyman Pool goBTC-ALGO

Tinyman Pool goETH-ALGO

• Of 222 LPs in goBTC-ALGO pool, 145 still have liquidity right before the hack. $0, $10 - $100, $100 - $1,000 are top 3 buckets, account for 80.2% in total number of LP.
• Of 154 LPs in goETH-ALGO pool, 111 still have liquidity right before the hack. $0, $10 - $100, $100 - $1,000 are top 3 buckets, account for 81.1% in total number of LP.

Key highlights

• Total loss from the hack
  • TinyMan lost approximately $2.06M in total from the hack, 60% from goBTC & 40% from goETH.
  • 1 hacker gained approximately 30.9 goBTC in 2 burn transactions.
  • 4 hackers gained approximately 185 goETH in 14 burn transactions.
  • 2 hackers executed 3 burn transactions and gained approximately $1.3M (30.9 goBTC and 25.9 goETH) or 64.6% of total loss happened in the first hour at around 19:00 UTC Jan 1, 2022. The hack lasted until around 11:00 UTC Jan 8, 2022.
• Activities of impacted LPs
  • The goBTC-ALGO pool
    • Before the hack,
      • 222 LPs minted $3.43M in 447 transactions. Of 222 LPs, 107 LPs burned $327K in 183 transactions. → Net $3.1M liquidity added in the period.
      • Nov 23 & Dec 8, 2021 account for 92% of total mint liquidity in USD.
    • During the hack,
      • Of 222 LPs minted before the hack, 8 LPs minted $228K in 22 transactions. And 89 LPs burned $49K in 220 transactions. → Net $179K liquidity added in the period.
      • Jan 1, 2022 account for 92% of total mint liquidity in USD.
  • The goETH-ALGO pool
    • Before the hack,
      • 154 LPs minted $1.44M in 217 transactions. Of 154 LPs, 48 LPs burned $153K in 93 transactions. → Net $1.29M liquidity added in the period.
      • Dec 10, 14, & 28, 2021 account for 83% of total mint liquidity in USD.
    • During the hack,
      • Of 153 LPs minted before the hack, 2 LPs minted $41K in 2 transactions. And 10 LPs burned $122K in 10 transactions. → Net - $81K liquidity added in the period.
      • Jan 1, 2022 account for 99.99% of total mint liquidity in USD.
• List of impacted LPs
  • Of 222 LPs in goBTC-ALGO pool, 145 still have liquidity right before the hack. $0, $10 - $100, $100 - $1,000 are top 3 buckets, account for 80.2% in total number of LP.
  • Of 154 LPs in goETH-ALGO pool, 111 still have liquidity right before the hack. $0, $10 - $100, $100 - $1,000 are top 3 buckets, account for 81.1% in total number of LP.

Thanks for reading!

The List