Verify a decision

{"actor":"system:backfill","investigation_id":"0f8ef13b-c75f-411c-a011-e1e6771bb825","kind":"publish","page_slug":"tinyman","published_at":"2026-05-30T13:00:23.779Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Tinyman","sections":[{"content":"","heading":"Protocol Overview","severity":"low","sources":[{"credibility":1,"name":"DeFi for the Small Guy: Algorand-Based Tinyman Raises $2.5M Ahead of DEX Launch — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2021/10/07/defi-for-the-small-guy-algorand-based-tinyman-raises-25m-ahead-of-dex-launch"},{"credibility":1,"name":"Tinyman official site","type":"official","url":"https://tinyman.org/"}]},{"content":"","heading":"January 2022 Exploit: Attack Mechanism","severity":"critical","sources":[{"credibility":1,"name":"Official Announcement About the Incidents of 01.01.2022 — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19"},{"credibility":1,"name":"Technical Report 1: First Insights — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"credibility":2,"name":"Explained: The Tinyman Hack (January 2022) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-tinyman-hack-january-2022"},{"credibility":2,"name":"Tinyman: The First DeFi Exploit of 2022? — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/first-defi-liquidity-pool-exploited-in-2022"}]},{"content":"","heading":"Financial Losses and Affected Users","severity":"critical","sources":[{"credibility":1,"name":"Technical Report 1: First Insights — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"credibility":1,"name":"Tinyman Compensation Program — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-compensation-program-683dd2bd872b"},{"credibility":2,"name":"$3 Million Lost as an Algorand-Based Decentralized Trading Platform Exploited — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/3-million-lost-as-an-algorand-based-decentralized-trading-platform-exploited/"},{"credibility":2,"name":"Algorand-Based Tinyman AMM Exploited for $3 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/algorand-based-tinyman-amm-exploited-for-3-million/"}]},{"content":"","heading":"Audit History and Security Posture Prior to Exploit","severity":"high","sources":[{"credibility":1,"name":"Tinyman's Smart Contract Audit is Completed by Runtime Verification — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinymans-audit-by-runtime-verification-eef1e7f8f824"},{"credibility":2,"name":"Runtime Verification Audits Tinyman — Runtime Verification blog","type":"research","url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman"},{"credibility":2,"name":"Explained: The Tinyman Hack (January 2022) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-tinyman-hack-january-2022"}]},{"content":"","heading":"Incident Response and Compensation","severity":"medium","sources":[{"credibility":1,"name":"Official Announcement About the Incidents of 01.01.2022 — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19"},{"credibility":1,"name":"Tinyman Compensation Program — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-compensation-program-683dd2bd872b"},{"credibility":3,"name":"Tinyman: Re-launch on Mainnet and Next Steps — coin.fyi","type":"news_article","url":"https://coin.fyi/news/algorand/tinyman-re-launch-on-mainnet-and-next-steps-snrs1f"}]},{"content":"","heading":"V2.0 Protocol and Post-Exploit Security Improvements","severity":"low","sources":[{"credibility":1,"name":"Decentralized Trading Platform Tinyman Introduces Version 2.0 — PR Newswire","type":"official","url":"https://www.prnewswire.com/news-releases/decentralized-trading-platform-tinyman-introduces-version-2-0-and-new-readable-programming-language-tealish-at-algorand-decipher-event-in-dubai-301689634.html"},{"credibility":2,"name":"Runtime Verification Audits Tinyman AMM V2 — Runtime Verification blog","type":"research","url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman-amm-v2"},{"credibility":1,"name":"Tinyman AMM V2.0 Protocol — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-amm-v2-0-protocol-201e0f32f58d"},{"credibility":1,"name":"Audits and Security — Tinyman Docs","type":"official","url":"https://docs.tinyman.org/audits-and-security"}]},{"content":"","heading":"On-Chain Forensics and Attacker Tracing","severity":"high","sources":[{"credibility":2,"name":"Tinyman: The First DeFi Exploit of 2022? — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/first-defi-liquidity-pool-exploited-in-2022"},{"credibility":1,"name":"Technical Report 1: First Insights — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"}]}],"sources_used":[{"credibility":1,"name":"Official Announcement About the Incidents of 01.01.2022 — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19"},{"credibility":1,"name":"Technical Report 1: First Insights — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"credibility":1,"name":"Tinyman Compensation Program — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-compensation-program-683dd2bd872b"},{"credibility":1,"name":"Tinyman's Smart Contract Audit is Completed by Runtime Verification — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinymans-audit-by-runtime-verification-eef1e7f8f824"},{"credibility":1,"name":"Tinyman AMM V2.0 Protocol — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-amm-v2-0-protocol-201e0f32f58d"},{"credibility":1,"name":"Tinyman Updates, 2022 and Beyond — Tinyman Medium","type":"official","url":"https://tinymanorg.medium.com/tinyman-updates-2022-and-beyond-e2457bed608e"},{"credibility":1,"name":"DeFi for the Small Guy: Algorand-Based Tinyman Raises $2.5M Ahead of DEX Launch — CoinDesk","type":"news_article","url":"https://www.coindesk.com/business/2021/10/07/defi-for-the-small-guy-algorand-based-tinyman-raises-25m-ahead-of-dex-launch"},{"credibility":1,"name":"Decentralized Trading Platform Tinyman Introduces Version 2.0 — PR Newswire","type":"official","url":"https://www.prnewswire.com/news-releases/decentralized-trading-platform-tinyman-introduces-version-2-0-and-new-readable-programming-language-tealish-at-algorand-decipher-event-in-dubai-301689634.html"},{"credibility":2,"name":"Explained: The Tinyman Hack (January 2022) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-tinyman-hack-january-2022"},{"credibility":2,"name":"Tinyman: The First DeFi Exploit of 2022? — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/first-defi-liquidity-pool-exploited-in-2022"},{"credibility":2,"name":"Runtime Verification Audits Tinyman — Runtime Verification blog","type":"research","url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman"},{"credibility":2,"name":"Runtime Verification Audits Tinyman AMM V2 — Runtime Verification blog","type":"research","url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman-amm-v2"},{"credibility":1,"name":"Audits and Security — Tinyman Docs","type":"official","url":"https://docs.tinyman.org/audits-and-security"},{"credibility":2,"name":"$3 Million Lost as an Algorand-Based Decentralized Trading Platform Exploited — CryptoPotato","type":"news_article","url":"https://cryptopotato.com/3-million-lost-as-an-algorand-based-decentralized-trading-platform-exploited/"},{"credibility":2,"name":"Another year, another hack: Algorand's DeFi platform Tinyman exploited for $3m — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/another-year-another-hack-algorands-defi-platform-tinyman-exploited-for-3m/"},{"credibility":2,"name":"Algorand-Based Tinyman AMM Exploited for $3 Million — BeInCrypto","type":"news_article","url":"https://beincrypto.com/algorand-based-tinyman-amm-exploited-for-3-million/"},{"credibility":2,"name":"Tinyman Vulnerability — Blockshake Substack","type":"research","url":"https://blockshake.substack.com/p/tinyman-vulnerability"},{"credibility":3,"name":"Tinyman: Re-launch on Mainnet and Next Steps — coin.fyi","type":"news_article","url":"https://coin.fyi/news/algorand/tinyman-re-launch-on-mainnet-and-next-steps-snrs1f"}],"summary":"Tinyman is an automated market maker (AMM) and decentralized exchange (DEX) built on the Algorand blockchain, launched on mainnet in October 2021. On January 1, 2022, attackers exploited a logic flaw in the protocol's pool-token burn function to drain approximately $3 million in wrapped Bitcoin and Ethereum assets across 43 pools. Tinyman subsequently patched the contracts, launched a compensation program covering all affected liquidity providers, and released a fully re-audited v2.0 protocol in early 2023.","timeline":[{"date":"2021-08-01","event":"Tinyman launches on Algorand testnet","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2021/10/07/defi-for-the-small-guy-algorand-based-tinyman-raises-25m-ahead-of-dex-launch"},{"date":"2021-09-21","event":"Runtime Verification completes initial audit of Tinyman v1 smart contracts","source":"Tinyman Medium","source_url":"https://tinymanorg.medium.com/tinymans-audit-by-runtime-verification-eef1e7f8f824"},{"date":"2021-10-07","event":"Tinyman launches on Algorand mainnet; raises $2.5M from investors including Borderless Capital, DCG, and BlockTower","source":"CoinDesk","source_url":"https://www.coindesk.com/business/2021/10/07/defi-for-the-small-guy-algorand-based-tinyman-raises-25m-ahead-of-dex-launch"},{"date":"2022-01-01","event":"Exploit begins at 19:03 UTC; primary attacker executes 16 transactions exploiting burn function logic flaw, stealing approximately $1.8M in goBTC and goETH","source":"Tinyman Technical Report 1","source_url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"date":"2022-01-02","event":"Tinyman publishes official incident announcement; warns all liquidity providers to withdraw funds; disables liquidity routes on web app; contacts law enforcement","source":"Tinyman Medium","source_url":"https://tinymanorg.medium.com/official-announcement-about-the-incidents-of-01-01-2022-56abb19d8b19"},{"date":"2022-01-02","event":"Total attack scope confirmed: 13 unique attacker addresses, 43 pools drained, 360 malicious transactions, approximately $3M total losses including arbitrage","source":"Tinyman Technical Report 1","source_url":"https://tinymanorg.medium.com/technical-report-1-first-insights-cbc12109ef08"},{"date":"2022-01-19","event":"Tinyman v1.1 relaunches on mainnet with patched contracts; two audit firms reviewed the updated contracts; bug bounty program extended","source":"coin.fyi / Tinyman","source_url":"https://coin.fyi/news/algorand/tinyman-re-launch-on-mainnet-and-next-steps-snrs1f"},{"date":"2022-03-24","event":"Tinyman begins distributing compensation payments to affected liquidity providers; program covers stolen amounts, stuck LP tokens, and arbitraged losses","source":"Tinyman Compensation Program Medium","source_url":"https://tinymanorg.medium.com/tinyman-compensation-program-683dd2bd872b"},{"date":"2022-11-30","event":"Tinyman announces v2.0 at Algorand Decipher event in Dubai, featuring Tealish-written contracts, multi-level audit, and Immunefi bug bounty up to $250,000","source":"PR Newswire","source_url":"https://www.prnewswire.com/news-releases/decentralized-trading-platform-tinyman-introduces-version-2-0-and-new-readable-programming-language-tealish-at-algorand-decipher-event-in-dubai-301689634.html"},{"date":"2023-01-01","event":"Tinyman v2.0 mainnet launch (approximate); audited by Runtime Verification at specification, Tealish, and TEAL bytecode levels","source":"Runtime Verification blog","source_url":"https://runtimeverification.com/blog/runtime-verification-audits-tinyman-amm-v2"}]},"v":1}