On January 1, 2022, some of the Tinyman project’s pools were attacked.  The attacker exploited an unknown vulnerability in smart contract code to extract approximately $3 million in tokens from the contract’s pools.

Inside the Attack

The Tinyman hack was enabled by a flaw in the project’s smart contract code.  When a user calls the protocol’s burn function, they should receive two different types of tokens in exchange.  The amounts of each token depend on the amount stored within the protocol.

The attacker exploited a vulnerability in the Tinyman pools’ contract code that allowed them to receive the same token twice after a burn rather than two different tokens.  This was to their advantage because it allowed the attacker to extract twice as much gobtc instead of a mix of gobtc and ALGO tokens.  Since gobtc is much more valuable than ALGO, this allowed the attacker to make a significant profit and drain approximately $3 million in gobtc and goeth from the Tinyman pool over multiple transactions.  These tokens were then swapped in pools for stablecoins and withdrawn to other exchanges and wallets.

The exploit by the initial attacker was imitated by other wallets that used it to attack the protocol.  As a result, the Tinyman team recommended that all users withdraw their liquidity from affected pools.

Lessons Learned From the Attack

The Tinyman breach was enabled by an error that was overlooked during the project’s security audit.  As mentioned in the audit report, TEAL – the smart contract language of the Algorand blockchain where Tinyman is hosted – is a low-level language, which makes it complex to verify that the code matches the intended business logic.  In cases like this, multiple in-depth audits may be required to verify that business logic is correctly implemented and that the code does not contain any undesirable control flows.

Rob Behnke
01.06.2022