Osmosis, a decentralized exchange (DEX) built on the Cosmos network, was halted just before 3:00 a.m. EST on Wednesday after attackers exploited a nearly $5 million liquidity provider (LP) bug.
the bug was there before Identified In a Reddit post on the official Cosmos Network page. The user, straight-hat3855, drew attention to a “serious problem” with osmosis (OSMO), which allowed users to arbitrarily increase LP by 50% by adding and removing liquidity. The Reddit post was quickly taken down, but not before malicious actors took advantage of the bug, which removed nearly $5 million from the liquidity pool on the Osmosis exchange.
According to an announcement from osmosis block explorer Mintscan, the osmosis exchange was halted at a block height of 4,713,064 following the detection of an exploit and LP bug.
Explaining how the bug works in a series of posts at Osmosis Discord, project moderator was RoboMcGobo, who detailed how the flaw allowed attackers to add liquidity to any Osmosis LP and then store it on their initial deposit. Withdrew immediately for a 150% return: “Essentially, there will be 50% too many LP shares to attend the ceremony,” RoboMcGobo wrote after 4:00 p.m. on Wednesday, “if one were to receive 10 LP shares. should be received, 15 will be received.”
RoboMcGobo explained that the bug was “deliberately exploited by a small number of users” and “appears to be unintentional by a few others.” According to a Twitter thread by Osmosis, four attackers were responsible for 95% of the total exploit amount, with two attackers proceeding to voluntarily return the stolen funds.
– 4 persons have been identified who are responsible for 95%+ exploitation amount recovered.
– 2 out of 4 individuals have actively expressed their intention to refund the exploited amount in full.— osmosis (@osmosiszone) 8 June 2022
About an hour after Osmosis tweeted about the attack, FireStack, a validator in the Cosmos ecosystem, posted a Twitter thread acknowledging that “a temporary lapse in good judgment” saw two members of its team fix the bug. took advantage of about $2 million. ,
FireStack told its 1,700 Twitter followers they were “thinking” [their] future of the family” as he continued to take advantage of the bug. However, after admitting to “overnight tension” about the incident, he voluntarily decided to return the money and “set things straight”.
Dear @osmosiszone Community, many of you are aware of the Osmosis LP bug that happened yesterday.
In disbelief of its genuineness, two members of @fire_stake Started testing to see if the bug existed, testing turned into a temporary lapse in good judgment, and…— Firesteak | validator (@stake_fire) 8 June 2022
According to a post by Osmosis co-founder Sunny Agarwal, the other two hackers responsible for the theft carried out multiple transactions to centralized exchanges, which Aggarwal believes will make them easier to track.
RoboMcGobo echoed Agarwal’s words in the project’s Discord, “The funds have been linked to CEX accounts. Law enforcement has been notified… We hope the exploiters do the right thing here so that aggressive action is not required.