Tinyman opened about the latest attack that started on January 1st. A few “unauthorized users” breached some of the protocol’s pools after compromising a previously unknown vulnerability on its smart contracts.
Tinyman Compromised
According to the official blog post, the attack resulted in a drain of certain ASAs in the first hours. This, in turn, induced massive volatility. Tinyman revealed that the hack activated their wallet addresses and deposited a seed fund for the breach. To execute the attack, the perpetrators essentially targeted the pools and started to swap a portion of their funds and minted Pool Tokens.
It was an unknown bug in the burning of Pool Tokens that the perpetrators reportedly exploited and managed to acquire “two of the same Assets instead of two different Assets.”
According to the platform, this was favorable for the perpetrators as the “gobtc asset” was significantly more valuable than Algorand’s native token ALGO. They immediately swapped against it to rake in more funds and carry on with the exploit.
Tinyman alleged that the attackers also swapped pools with stablecoins to fish out the most value and withdraw these assets to other on-chain wallets and known centralized cryptocurrency exchanges.
The Attack Goes on
While apologizing for the entire event, Tinyman assured that all affected users will be reimbursed and that the team is currently working on compensation plans. However, it also mentioned that they could not obstruct any kind of transaction on the blockchain due to the permissionless nature of the contracts.
In a bid to control the intensity of the damage, Tinyman urged liquidity providers to pull out all their liquidity from all the protocol-related contracts. In addition to that, all liquidity routes in the web app were blocked and were replaced with warning signs to protect the community.
Any lost funds after the next 24 hours (9 am UTC on the 4th of January) will be the responsibility of the users as there is nothing we can do to stop this event, the responsibility of the remaining assets are in the wallet owners’ hands.
— Tinyman (@tinymanorg) January 3, 2022
In yet another recent tweet, the platform notified its users that the exploit on the pools continues. Moreover, around $2 million worth of various digital assets in the pools still remained stuck. Tinyman once again advised everyone to remove their liquidity as soon as possible. It also warned that any lost funds after 9 AM UTC on January 4th will be user responsibility.