Attackers loot $5M from Osmosis in LP exploit, $2M returned soon after

Published at: June 9, 2022

Osmosis, a decentralized exchange (DEX) built on the Cosmos network, was halted just before 3:00 am EST on Wednesday after attackers exploited a liquidity provider (LP) bug to the tune of roughly $5 million.

The bug was first identified in a Reddit post on the official Cosmos Network page. The user, Straight-Hat3855, brought attention to a “serious problem” with Osmosis (OSMO) that allowed users to arbitrarily grow LPs by 50% simply by adding and removing liquidity. The Reddit post was quickly removed, but not before malicious actors took advantage of the bug, which saw approximately $5 million removed from liquidity pools on the Osmosis exchange.

Following the exploit and the identification of the LP bug, the Osmosis exchange was halted at a block height of 4,713,064, according to an announcement from Osmosis block explorer Mintscan.

Explaining how the bug worked in a series of posts in the Osmosis Discord was project moderator RoboMcGobo, who detailed how the flaw allowed attackers to add liquidity to any Osmosis LP and then immediately withdraw it for a 150% return on their initial deposit: “Essentially, the function would give 50% too many LP shares for a join,” RoboMcGobo wrote just after 4:00 pm on Wednesday, adding: “If one should have gotten 10 LP shares, 15 would be achieved out.”

RoboMcGobo explained that the bug was “exploited intentionally by a small number of users” and “seemingly unintentionally by a few others.” According to a Twitter thread from Osmosis, four attackers were responsible for 95% of the total exploit amount, with two of the attackers voluntarily stepping forward to return stolen funds.

Update:- 4 individuals have been identified that account for 95%+ of realized exploit amount.- 2 out of the 4 individuals has proactively expressed intent to return the exploited amount in full.

— Osmosis (@osmosiszone) June 8, 2022

Roughly one hour following Osmosis’ tweet concerning the attack, FireStake, a validator in the Cosmos ecosystem, posted a Twitter thread admitting that “a temporary lapse in good judgment” saw two members of its team exploit the bug to the extent of roughly $2 million.

Firestake told their 1,700 Twitter followers that they were “thinking about [their] family’s future” when they continued to exploit the bug. However, after admitting to “stressing through the night” about the event, they decided to voluntarily return the funds and “set things straight.”

Dear @osmosiszone community, many of you know about the Osmosis LP bug that occurred yesterday. In disbelief of it being real, two members of @fire_stake started testing to see if the bug existed, testing grew into a temporary lapse in good judgment, and...

— FireStake | Validator (@stake_fire) June 8, 2022

According to a post from Osmosis co-founder Sunny Aggarwal, the other two hackers responsible for the theft made a series of transactions to centralized exchanges, which Aggarwal believes will make it easier to track them down.

RoboMcGobo echoed Aggarwal’s words in the project’s Discord, “Funds have been linked to CEX accounts. Law enforcement has been notified… we’re hopeful that the exploiters will do the right thing here so that aggressive action will not be necessary.”

Tags
Dex
Related Posts
Injective Protocol (INJ) rallies 100%+ after launching cross-chain support for Cosmos
Trading perpetual futures contracts in decentralized apps is a crypto sub-sector ripe for growth, especially as discussions of regulation, taxation and mandatory KYC at centralized exchanges continue to take place. One DEX platform that has begun to gain traction is Injective (INJ), an interoperable layer-one protocol designed to facilitate the creation of cross-chain Web3 decentralized finance (DeFi) applications. Data from Cointelegraph Markets Pro and TradingView shows that after hitting a low of $3.91 on Feb. 3, the price of INJ has rallied 157.8% to a daily high of $10.08 on Feb. 11 amidst a 1,756% spike in its 24-hour trading …
Markets / Feb. 13, 2022
Altcoin Roundup: JunoSwap, Solidly and VVS Finance give DeFi a much-needed refresh
Decentralized finance (DeFi) was the talk of the town in early 2021, but it has since taken a back seat to more appealing sectors like nonfungible tokens (NFTs), memecoins and blockchain gaming. Now that cross-chain bridges and interoperability have allowed for the easier migration of assets to competing chains, a new class of DeFi protocols is arising to challenge those left from 2021. Here’s a look at three DeFi projects that have launched on some of the up-and-coming layer-1 blockchain networks, catching the eye of the crypto community. VVS Finance VVS Finance is the largest DeFi protocol on the Cronos …
Markets / March 4, 2022
Maiar decentralized crypto exchange goes offline after bug discovery
The Maiar Exchange, a decentralized exchange (DEX) native to the Elrond blockchain, has been temporarily taken offline after an attacker utilized an exploit and made off with roughly $113 million worth of Elrond eGold (EGLD). Minutes before 12:00 am UTC on Monday, the co-founder and CEO of Elrond, Beniamin Mincu, tweeted that he and his team were “investigating a set of suspicious activities” on the Maiar decentralized cryptocurrency exchange. Soon after, the DEX was taken offline, with Mincu reporting that the issue had been identified and an “emergency fix” was being implemented. In a Twitter thread posted almost 24 hours …
Altcoin / June 7, 2022
Reactivated Ethereum pools trigger a 78% surge in THORChain price
Ealier this year THORChain underwent a series of protocol exploits which led to $8 million being drained from its reserves and these successive attack took a heavy tool on RUNE price. This week, the protocol announced that it would re-open its Ethereum pool, along with other altcoin and BTC-based pools and the announcement appears to be having a positive impact on RUNE price. Data from Cointelegraph Markets Pro and TradingView shows that since hitting a low of $2.95 on July 20, the price of RUNE has increased 283% to a$11.64 and there is also a noticable uptick in trading volume. …
Markets / Oct. 24, 2021
Transit Swap loses over $21M due to internal bug hack, issues apology
Transit Swap, a multi-chain decentralized exchange (DEX) aggregator, lost roughly $21 million after a hacker exploited an internal bug on a swap contract. Following the revelation, Transit Swap issued an apology to the users while efforts to track down and recover the stolen funds are underway. “We are deeply sorry,” stated Transit Swap while revealing that a bug in the code allowed a hacker to make away with an estimated $21 million. Blockchain investigator Peckshield narrowed down the attack to a compatibility issue or misplaced trust in the swap contract. pic.twitter.com/KJ7u5xoxBp — Transit Swap | Transit Buy | NFT (@TransitFinance) …
Ethereum / Oct. 2, 2022