June 7 someone posted Reddit thread which was later removed by a forum moderator. There was a serious complaint in the thread – there was a bug in the Osmosis network that allowed liquidity providers to earn an additional 50% when adding and withdrawing liquidity.
Osmosis (OSMO) is a blockchain in the Cosmos ecosystem that offers a decentralized exchange and wallet.
The claim seemed unbelievable until the network was shut down for emergency maintenance.
Hi @osmosiszone friends. Starting with unit #4713064, the osmosis circuit was stopped for emergency maintenance.
Osmosis DEX and Wallet are currently inoperative until repairs are completed.
🧪Please wait while the developers are working to bring us back.
— 🦙🧪Emperor Osmo (Hator Knots)🧪🦙 (@Flowslikeosmo) June 8, 2022
While the Osmosis team did not acknowledge the exploit at the time, the stop came after several attackers had spent around $5 million.
The liquidity pools were NOT “completely depleted”.
The devs are fixing the bug, estimating the size of the damage (probably in the ~$5M range) and working on a restoration.
Additional information will appear later. https://t.co/WOu7MMgSUM
— Osmosis 🧪 (@osmosiszone) June 8, 2022
The Osmosis team has identified a bug and has developed a fix that is being tested before deployment. Developers are still working on restarting the network.
Update: A bug has been found and a patch has been written.
Additional testing is underway before validators are advised to coordinate a restart.
Full bug report and action plan for more thorough and proper end-to-end testing of chain updates coming in the coming days. https://t.co/DjJMOEQxrT
— Osmosis 🧪 (@osmosiszone) June 8, 2022
Here is how the attackers managed to exploit the network, as evidenced by the activity on the network:
A Twitter user pointed out in a thread that one of the attackers added liquidity in the form of USD Coin (USDC) and OSMO. The attacker then received GAMM LP tokens in return, which represented his share of the pool. These criminals immediately withdrew the GAMM LP tokens, thus receiving 50% more than the amount of USDC and OSMO that were added as liquidity.
First off, apparently a subredditer reported this a while back – so kudos to them.
âž¼ So, the wallet (osmo1hq) is an exploiter.
It first provides liquidity in the form $USDC (I checked it in the source code) + $OSMO
Then he gets $GAMM LP tokens in return. pic.twitter.com/K3JzrDRPMN
— Andeh #OnChain (@0xLosingMoney) June 8, 2022
The attacker then exchanged OSMO tokens for ATOM and sent them to other wallets. The same process was repeated over and over again – each time the attacker received 50% more tokens.
Most of the proceeds from OSMO were exchanged for ATOM and transferred to a wallet containing $9 million worth of ATOM tokens, according to a Twitter post. However, there were no USDC tokens in this wallet, which the attacker received using the error – USDC tokens were neither exchanged nor transferred, the thread added.
Once he had his fun
âž¼ He sends $ATOM to a chain of other wallets.
It’s hard to say about https://t.co/o02L0T5QtQ there were so many scanners, but I tracked the wallets and … pic.twitter.com/dchu2pDgQG
— Andeh #OnChain (@0xLosingMoney) June 8, 2022
Osmosis identifies intruders; FireStake is coming out
According to Osmosis’s Twitter post, four attackers were identified as key perpetrators, stealing more than 95% of the amount used. Two of the four attackers volunteered to return the stolen funds in full. The other two have transactions with centralized exchanges that have been alerted in order to identify the perpetrators and return the funds.
Update:
– Identified 4 people who account for 95%+ of the implemented number of exploits.
– 2 out of 4 persons declared their intention to return the amount worked out in full.
— Osmosis 🧪 (@osmosiszone) June 8, 2022
Just an hour after Osmosis’s tweet about the attackers, FireStake – a validator in the Cosmos ecosystem – posted a tweet and admitted to exploiting the LP bug, but noted that they were trying to “fix the situation” and were working with the Osmosis team. return the funds used.
Expensive @osmosiszone community, many of you are aware of yesterday’s Osmosis LP bug.
Not believing in reality, two members @fire_stake started testing to see if there was a bug, testing escalated into a temporary lapse of common sense, and…
— Firestake | Validator (@stake_fire) June 8, 2022
in the process, we were able to convert $226 into ~$2 million. We thought about the future of our family, not about the future of our community.
Shortly after that, we spent the night thinking about how we can fix things. We are currently working with the Osmosis team…
— Firestake | Validator (@stake_fire) June 8, 2022
return funds as soon as possible. We are also working with the Osmosis team to urge everyone who has taken advantage of this situation to come forward and refund the funds.
Welcome to visit us and we can help act as a link. We must do it right.
— Firestake | Validator (@stake_fire) June 8, 2022
Credit : cryptoslate.com