Osmosisa decentralized exchange (DEX) built on the Cosmos network, stopped just before 3:00am EST on Wednesday after attackers exploited a liquidity provider (LP) bug worth approximately $5 million.
The bug is identified for the first time in a Reddit post on the official page of the Cosmos network. User Straight-Hat3855 drew attention to a “serious problem” with Osmosis (OSMO) which allowed users to arbitrarily increase LP by 50% simply by adding and removing liquidity. The Reddit post was quickly removed, but not before malicious actors took advantage of the bug, which led to approximately $5 million being siphoned from liquidity pools on the Osmosis exchange..
Following the exploitation and identification of the LP bug, the Osmosis exchange stopped at a block height of 4,713,064according to an announcement by Osmosis block explorer Mintscan.
Project moderator RoboMcGobo explained how the bug worked in a series of posts on the Osmosis Discord.and detailed how the flaw allowed attackers to add liquidity to any Osmosis LP and then immediately withdraw it for a 150% return on their initial deposit: “Essentially, the feature would give them an extra 50% LP shares for a join,” RoboMcGobo wrote. just after 4:00 p.m. on Wednesday, adding, “If you were to get 10 LP shares, you would get 15.”
RoboMcGobo explained that the bug was “intentionally exploited by a small number of users” and “apparently unintentionally by a few others.” According to a Twitter thread from Osmosis, four attackers were responsible for 95% of the total amount of the exploit, and two of them voluntarily stepped forward to return the stolen funds..
Update:
– 4 individuals have been identified that account for 95%+ of realized exploit amount.
– 2 out of the 4 individuals have proactively expressed intent to return the exploited amount in full.
— Osmosis (@osmosiszone) June 8, 2022
Update:
– 4 individuals have been identified that represent more than 95% of the amount of the exploit carried out.
– 2 of the 4 individuals have proactively expressed their intention to return the exploited amount in full.
About an hour after Osmosis’ tweet about the attack, FireStake, a validator for the Cosmos ecosystem, posted a Twitter thread admitting that a “temporary lapse of judgment” caused two members of their team to exploit the bug for approximately $2 million.
Firestake told his 1,700 Twitter followers that he was “thinking about the future of [su] family” when he continued to exploit the bug. However, after admitting that she “stressed out all night” over the event, he decided to voluntarily return the funds and “settle things”.
dear @osmosiszone community, many of you know about the Osmosis LP bug that occurred yesterday.
In disbelief of it being real, two members of @fire_stake started testing to see if the bug existed, testing grew into a temporary lapse in good judgment, and…
—FireStake | Validator (@stake_fire) June 8, 2022
Dear @osmosiszone community, many of you are aware of the Osmosis LP bug that occurred yesterday. In disbelief that it was real, two members of @fire_stake started testing to see if the bug existed, the tests turned into a temporary lapse of judgment, and…
According to a post by Osmosis co-founder Sunny Aggarwal, the other two hackers responsible for the theft made a series of transactions to centralized exchanges, which Aggarwal believes will make it easier to track them down.
RoboMcGobo echoed Aggarwal’s words on the project’s Discord: “Funds have been linked to CEX accounts. Law enforcement has been notified…we are hopeful that the exploiters will do the right thing in this case so no aggressive action is necessary.”.
Clarification: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information set forth herein should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
Keep reading:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.