Skip to main content
Sign in
Tinyman1 decision on this page

Audit log

Every state-changing event for Tinyman: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-05-30 13:00:23Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 423,161,263
    sig
    66NfCwq7BMzk…YVF8gY4pexplorer ↗
    hash
    5HHrwkzkoCiM…ehUC5ewnsha256 → base58
    verifying row…full verify ↗
    canonical bytes (12571 B) ▸
    {"actor":"system:backfill","investigation_id":"0f8ef13b-c75f-411c-a011-e1e6771bb825","kind":"publish","page_slug":"tinyman","published_at":"2026-05-30T13:00:23.779Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Tinyman","sections":[{"content":"","heading":"Protocol Overview","severity":"low","sources":[{"credibility":1,"name":"DeFi for the Small Guy: Algorand-Based Tinyman Raises $2.5M Ahead of DEX Launch — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2021/10/07/defi-for-the-small-guy-algorand-based-tinyman-raises-25m-ahead-of-dex-launch"},{"credibility":1,"name":"Tinyman official site","type":"official","url":"https://tinyman.org/"}]},{"content":"","heading":"January 2022 Exploit: Attack Mechanism","severity":"critical","sources":[{"credibility":1,"name":"Official Announcement About the Incidents of 01.01.2022 — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19"},{"credibility":1,"name":"Technical Report 1: First Insights — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"credibility":2,"name":"Explained: The Tinyman Hack (January 2022) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-tinyman-hack-january-2022"},{"credibility":2,"name":"Tinyman: The First DeFi Exploit of 2022? — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/first-defi-liquidity-pool-exploited-in-2022"}]},{"content":"","heading":"Financial Losses and Affected Users","severity":"critical","sources":[{"credibility":1,"name":"Technical Report 1: First Insights — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"credibility":1,"name":"Tinyman Compensation Program — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-compensation-program-683dd2bd872b"},{"credibility":2,"name":"$3 Million Lost as an Algorand-Based Decentralized Trading Platform Exploited — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/3-million-lost-as-an-algorand-based-decentralized-trading-platform-exploited/"},{"credibility":2,"name":"Algorand-Based Tinyman AMM Exploited for $3 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/algorand-based-tinyman-amm-exploited-for-3-million/"}]},{"content":"","heading":"Audit History and Security Posture Prior to Exploit","severity":"high","sources":[{"credibility":1,"name":"Tinyman's Smart Contract Audit is Completed by Runtime Verification — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinymans-audit-by-runtime-verification-eef1e7f8f824"},{"credibility":2,"name":"Runtime Verification Audits Tinyman — Runtime Verification blog","type":"research","url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman"},{"credibility":2,"name":"Explained: The Tinyman Hack (January 2022) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-tinyman-hack-january-2022"}]},{"content":"","heading":"Incident Response and Compensation","severity":"medium","sources":[{"credibility":1,"name":"Official Announcement About the Incidents of 01.01.2022 — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19"},{"credibility":1,"name":"Tinyman Compensation Program — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-compensation-program-683dd2bd872b"},{"credibility":3,"name":"Tinyman: Re-launch on Mainnet and Next Steps — coin.fyi","type":"news_article","url":"https://coin.fyi/news/algorand/tinyman-re-launch-on-mainnet-and-next-steps-snrs1f"}]},{"content":"","heading":"V2.0 Protocol and Post-Exploit Security Improvements","severity":"low","sources":[{"credibility":1,"name":"Decentralized Trading Platform Tinyman Introduces Version 2.0 — PR Newswire","type":"official","url":"https://www.prnewswire.com/news-releases/decentralized-trading-platform-tinyman-introduces-version-2-0-and-new-readable-programming-language-tealish-at-algorand-decipher-event-in-dubai-301689634.html"},{"credibility":2,"name":"Runtime Verification Audits Tinyman AMM V2 — Runtime Verification blog","type":"research","url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman-amm-v2"},{"credibility":1,"name":"Tinyman AMM V2.0 Protocol — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-amm-v2-0-protocol-201e0f32f58d"},{"credibility":1,"name":"Audits and Security — Tinyman Docs","type":"official","url":"https://docs.tinyman.org/audits-and-security"}]},{"content":"","heading":"On-Chain Forensics and Attacker Tracing","severity":"high","sources":[{"credibility":2,"name":"Tinyman: The First DeFi Exploit of 2022? — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/first-defi-liquidity-pool-exploited-in-2022"},{"credibility":1,"name":"Technical Report 1: First Insights — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"}]}],"sources_used":[{"credibility":1,"name":"Official Announcement About the Incidents of 01.01.2022 — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19"},{"credibility":1,"name":"Technical Report 1: First Insights — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"credibility":1,"name":"Tinyman Compensation Program — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-compensation-program-683dd2bd872b"},{"credibility":1,"name":"Tinyman's Smart Contract Audit is Completed by Runtime Verification — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinymans-audit-by-runtime-verification-eef1e7f8f824"},{"credibility":1,"name":"Tinyman AMM V2.0 Protocol — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-amm-v2-0-protocol-201e0f32f58d"},{"credibility":1,"name":"Tinyman Updates, 2022 and Beyond — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-updates-2022-and-beyond-e2457bed608e"},{"credibility":1,"name":"DeFi for the Small Guy: Algorand-Based Tinyman Raises $2.5M Ahead of DEX Launch — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2021/10/07/defi-for-the-small-guy-algorand-based-tinyman-raises-25m-ahead-of-dex-launch"},{"credibility":1,"name":"Decentralized Trading Platform Tinyman Introduces Version 2.0 — PR Newswire","type":"official","url":"https://www.prnewswire.com/news-releases/decentralized-trading-platform-tinyman-introduces-version-2-0-and-new-readable-programming-language-tealish-at-algorand-decipher-event-in-dubai-301689634.html"},{"credibility":2,"name":"Explained: The Tinyman Hack (January 2022) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-tinyman-hack-january-2022"},{"credibility":2,"name":"Tinyman: The First DeFi Exploit of 2022? — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/first-defi-liquidity-pool-exploited-in-2022"},{"credibility":2,"name":"Runtime Verification Audits Tinyman — Runtime Verification blog","type":"research","url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman"},{"credibility":2,"name":"Runtime Verification Audits Tinyman AMM V2 — Runtime Verification blog","type":"research","url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman-amm-v2"},{"credibility":1,"name":"Audits and Security — Tinyman Docs","type":"official","url":"https://docs.tinyman.org/audits-and-security"},{"credibility":2,"name":"$3 Million Lost as an Algorand-Based Decentralized Trading Platform Exploited — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/3-million-lost-as-an-algorand-based-decentralized-trading-platform-exploited/"},{"credibility":2,"name":"Another year, another hack: Algorand's DeFi platform Tinyman exploited for $3m — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/another-year-another-hack-algorands-defi-platform-tinyman-exploited-for-3m/"},{"credibility":2,"name":"Algorand-Based Tinyman AMM Exploited for $3 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/algorand-based-tinyman-amm-exploited-for-3-million/"},{"credibility":2,"name":"Tinyman Vulnerability — Blockshake Substack","type":"research","url":"https://blockshake.substack.com/p/tinyman-vulnerability"},{"credibility":3,"name":"Tinyman: Re-launch on Mainnet and Next Steps — coin.fyi","type":"news_article","url":"https://coin.fyi/news/algorand/tinyman-re-launch-on-mainnet-and-next-steps-snrs1f"}],"summary":"Tinyman is an automated market maker (AMM) and decentralized exchange (DEX) built on the Algorand blockchain, launched on mainnet in October 2021. On January 1, 2022, attackers exploited a logic flaw in the protocol's pool-token burn function to drain approximately $3 million in wrapped Bitcoin and Ethereum assets across 43 pools. Tinyman subsequently patched the contracts, launched a compensation program covering all affected liquidity providers, and released a fully re-audited v2.0 protocol in early 2023.","timeline":[{"date":"2021-08-01","event":"Tinyman launches on Algorand testnet","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2021/10/07/defi-for-the-small-guy-algorand-based-tinyman-raises-25m-ahead-of-dex-launch"},{"date":"2021-09-21","event":"Runtime Verification completes initial audit of Tinyman v1 smart contracts","source":"Tinyman Medium","source_url":"https://tinymanorg.medium.com/tinymans-audit-by-runtime-verification-eef1e7f8f824"},{"date":"2021-10-07","event":"Tinyman launches on Algorand mainnet; raises $2.5M from investors including Borderless Capital, DCG, and BlockTower","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2021/10/07/defi-for-the-small-guy-algorand-based-tinyman-raises-25m-ahead-of-dex-launch"},{"date":"2022-01-01","event":"Exploit begins at 19:03 UTC; primary attacker executes 16 transactions exploiting burn function logic flaw, stealing approximately $1.8M in goBTC and goETH","source":"Tinyman Technical Report 1","source_url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"date":"2022-01-02","event":"Tinyman publishes official incident announcement; warns all liquidity providers to withdraw funds; disables liquidity routes on web app; contacts law enforcement","source":"Tinyman Medium","source_url":"https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19"},{"date":"2022-01-02","event":"Total attack scope confirmed: 13 unique attacker addresses, 43 pools drained, 360 malicious transactions, approximately $3M total losses including arbitrage","source":"Tinyman Technical Report 1","source_url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"date":"2022-01-19","event":"Tinyman v1.1 relaunches on mainnet with patched contracts; two audit firms reviewed the updated contracts; bug bounty program extended","source":"coin.fyi / Tinyman","source_url":"https://coin.fyi/news/algorand/tinyman-re-launch-on-mainnet-and-next-steps-snrs1f"},{"date":"2022-03-24","event":"Tinyman begins distributing compensation payments to affected liquidity providers; program covers stolen amounts, stuck LP tokens, and arbitraged losses","source":"Tinyman Compensation Program Medium","source_url":"https://tinymanorg.medium.com/tinyman-compensation-program-683dd2bd872b"},{"date":"2022-11-30","event":"Tinyman announces v2.0 at Algorand Decipher event in Dubai, featuring Tealish-written contracts, multi-level audit, and Immunefi bug bounty up to $250,000","source":"PR Newswire","source_url":"https://www.prnewswire.com/news-releases/decentralized-trading-platform-tinyman-introduces-version-2-0-and-new-readable-programming-language-tealish-at-algorand-decipher-event-in-dubai-301689634.html"},{"date":"2023-01-01","event":"Tinyman v2.0 mainnet launch (approximate); audited by Runtime Verification at specification, Tealish, and TEAL bytecode levels","source":"Runtime Verification blog","source_url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman-amm-v2"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 2f3161dd-9bf5-481d-a4b4-449f47c64fa5
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.