###### tags: `Algorand` `Hack` # Tinyman Hack 10,000 units spoofing cost 1/110th of an algo vs 1/100th of an algo exchanging 1 unit of ASA for 1 unit of microalgo if 10,000 of 10,000 with no decimals 1 unit of the ASA is 1/1,000,000th of an ALGO avoid pools with more value than algo Evan Maltz everything is done in the smallest denomination of units, apply correction using decimals of base units if they are pool works with algo as other asset spoofing smart contract to handle non-algo as algo assets in the base unit if they both had 6 decimals and price is 1:1 then you're probably safe if number of dedcimals in ASA is greater than 6 then it would have to be 10 ALGO per ASA or greater for you to be vulnerable only assets most vulnerable is assets only on Tinyman because prices are only based on Tinyman pool no other reference, USDC is on other chains so it doesn't get affected as easily Thank you, thank you, I I'll I'll, I'll do my best to explain it briefly, really quick. Basically, the idea is people can spoof. The uh call for their right now. Apparently they're using custom API requests. They're not even they're not even doing it through tiny man. It's all custom API requests, according to somebody who just messaged me like API commands, which is also true, like if you take down the website anyway. That there's a a contract on tiny man for withdrawing liquidity from the pools, which you're supposed to only be able to do at equal value ratios, right? So if if I would draw one algo, then I should be withdrawing the proportional amount of the other side of that pool, right? Like if if the price of that thing is of that ASA is 1 algo each, then I would draw one algo. I get one ASA, right? It's it's proportional to the price, but there's. The logic in the smart contract where they they handle withdraws from algo differently than they handle withdraws from a essays, but you can spoof it to make it use the algo logic instead of the essay logic. So it instead of withdraw it like let's say the price was 1000 algo per ASA. I can withdraw 1 algo. Or make the contract think I'm withdrawing 1 algo from the ASA side of the pool, but really I'm withdrawing one ASA which would be $1000 worth, so you can functionally withdraw from one side of the LP, one side of the liquidity pool, and. At at a very, very cheap cost, which would look like liquidity is being pulled from the from the valley from the pools, and then they can take that asset that they got from the from the liquidity pool and sell it at market value to withdraw algo from the algo side of the liquidity pool. Has tiny man said anything?  Evan Maltz @evan_maltz Not much, just that they're looking into it and that they think it only they they said that they think it only affects. Pools algo ASA pools where the value of the ASA is more than one algo. Which makes sense, although there was a group of developers who prevented a very very convincing argument that it and also like from made sense stuff. I know that the IT doesn't just affect Algo ASA pools where the price is more than one algo. It it really depends on the number of decimals in the project. So it in theory it could be less than the value less than 1/8 like 1 algo per ASA and could still be affected as well.  Malcolm the Maxi @MalcolmHuntley2 So.  Evan Maltz @evan_maltz so my my general  Malcolm the Maxi @MalcolmHuntley2 so  Evan Maltz @evan_maltz So my my general advice is if you if you provide liquidity for. Sorry this is not advice, this is what I'm doing. If you want to copy what I'm doing which is at your own risk. I would withdraw. I withdraw, withdraw. I had withdrawn all my liquidity from all the algo ASA pools that I I I was part of. So that I I don't get my algo stolen. which contract is involved? its posted on tinyman discord not possible to fix liquidity pools, everyone needs to withdraw liquidity from pools, Tinyman needs to shut down entirely to fix this. Chris Swenor says. So we basically need to shut down tiny man entirely to fix this.  Sylvain Bellemare @sbellem OK.  Evan Maltz @evan_maltz a yeah kinda you  Malcolm the Maxi @MalcolmHuntley2 Oh oh.  Evan Maltz @evan_maltz yeah kinda you have because they can't work unless Yeah kinda you have because they can't work unless they can't. Nothing can work unless those liquidity pool like you can't calculate prices. You can't do swaps. You can't do any of the functionality of tiny man as long as those liquidity pool contracts are not viable.  Malcolm the Maxi @MalcolmHuntley2 Oh, that's horrible. No, what the fuck? How does that happen bro Oh my God oh shit. So you'll be needs to come out with their. Shared sooner.  Evan Maltz @evan_maltz Or humble, that's Chris decks. I some reason I don't know. I just I trust Chris, I think I think. people want two DEXes to go up all pricing in ecosystem is based off pricing off those asset pools the more decimals, the safer you are Evan Maltz @evan_maltz So if if you have if you have 6 decimals and your lower than than one algo, you're for sure safe 100% safe if you have more than six decimals and you're below 1 algo, you're you're even more safe. If you have less than six decimals, then it you get increasingly risky. Depending it, it still depends on the price obviously. But with five decimals then the the price point is less than 10 algo. If if 4 decimals the price point is 100 algo. Or sorry, reverse that it's not 100, it's one point .01 algo sorry, .01 algo. It's 1 / 101 / 10 so it's if you have 5 decimals then then the minimum price to be affected is .1 algo. If you have 4 decimals the minimum price to be affected is .01 algo per.