On January 1, 2022, Tinyman — the leading AMM on Algorand — lost approximately $3 million through a flaw in how its swap/burn logic handled certain pool-token operations, letting an attacker extract assets at unintended rates across many pools. Copycats joined once the technique was visible.
What happened
Tinyman's pool-token redemption/swap path could be invoked in a way that returned more underlying than the operation justified. The attacker (and copycats) drained multiple pools (~$3M) before Tinyman advised users to withdraw and migrated to a patched v1.1.
Why it matters
Tinyman is the catalogue's primary Algorand entry, reinforcing — on a non-EVM chain with a different VM (AVM/TEAL) — that AMM swap/redeem math is a chain-independent hazard. Algorand's TEAL is a very different execution model from the EVM, yet the failure is recognisable: an operation that returns more value than it should under a specific input. The lesson generalises beyond Solidity: the AMM-invariant-under-adversarial-input problem is about math and economics, not a particular VM, and every chain's flagship AMM tends to learn it the same way.
Sources & on-chain evidence
- [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-tinyman-hack-january-2022
- [02]cryptopotato.comhttps://cryptopotato.com/3-million-lost-as-an-algorand-based-decentralized-trading-platform-exploited/
- [03]beincrypto.comhttps://beincrypto.com/algorand-based-tinyman-amm-exploited-for-3-million/