The TinyThieves On Tinyman: How Hackers Stole $3million worth of Liquidity Pool Funds On Algorand Backed Protocol.

Adenugba Blessing
3 min readJan 4, 2022

Holiday Came to An End So Early
The year 2022 started with a challenge for the Tinyman Team. They should be on holiday, however, they are currently working all round the clock to strengthen the security of the best DEFI on the Algorand Blockchain-Tinyman. Tinyman is a decentralized finance protocol on the Algorand Blockchain and on the 1st of January, 2022 it was attacked by TinyThieves(hackers). The hackers made away with $3million worth of Liquidity Pool funds on Tinyman. On the 2nd of January 2022, the Tinyman Twitter handle tweeted that all ASAs should remove their liquidity until a solution is in view. This, in turn, led most people, for fear of losing their bags, to sell off at loss. Right now, Tinyman developers are yet to resolve the issue.

What exactly went wrong?
The hack occurred due to an exploit in the project’s smart contract which led to the vulnerability of several pools. According to a report on Tinyman’s blog, the two assets attacked were goBtc and goEth. The liquidity of these assets was zapped and swapped into Algo and stable coins before it was finally sent out to on-chain wallets and centralized exchanges like Binance. According to a tweet by Tinyman on the 3rd of January, 2022, many wallets are still exploiting the bug in the smart contract.

“We are still compiling the reports for the incident in order to measure the total damage done. As the exploit method is out there now, the exploit is still going on albeit very small in value. We’ll be sharing these reports once they are ready.”

Tinyman vs TinyThieves.
Tinyman developers are up on their feet to fight back the TinyThieves. They’ve called on Whitehackers who are in their support to simulate the exploit of the TinyThieves on Tinyman’s test net so as to expose more vulnerabilities. This in turn will lead to fixing possible bugs that may prevent future loss.

Will there be Compensation?
Tinyman announced some hours ago that wallets affected by the ongoing attack will be compensated. They said that a website will be put up to that effect where affected persons will be able to check if their wallet is eligible for compensation. If not eligible, they will have a chance to file a complaint and defend their case with proof. The compensation plan is yet to be rolled out as the Tinyman Team is busy blocking the exploits and building a formidable system that will be hard to crack.

There is Hope
The team appreciated the Tinyman community and assured them that they will roll out progress information every 48hours. They added that the Tinyman v1 swap will be deactivated in no long time and that users should stop all swap activities till further notice. Tinyman v2 will be deployed in no long time and everything will be back to normal. The Tinyman v2 will be well tested on the Algorand Testnet before deployment. This is hope.

Bye, Bye TinyThieves?

There would be more future TinyThieves, however, such a large-scale attack like this on Tinyman’s protocol will be highly unlikely. How else will a system be formidable if it isn’t tested? If Tinyman survives this storm, it will come back strong and better. To my fellow Algorand Blockchain lovers, let’s keep the hope alive. Long live the Blockchain!!!!!