Osmosis, a decentralized exchange built on the Cosmos network, was brought to a halt shortly before 3:00 AM ET on June 8 after attackers took advantage of a liquidity provider (LP) bug worth roughly $5 million.
The mistake was the first identified in a Reddit post on the official Cosmos Network page. User Straight-Hat3855 drew attention to a “serious problem” with osmosis (OSMO) that allowed users to arbitrarily increase LP by 50% simply by adding and removing liquidity. The Reddit post was quickly taken down, but not before attackers exploited a bug that removed about $5 million from liquidity pools on the Osmosis exchange.
According to the exploit and the discovery of the LP bug, the Osmosis exchange was stopped at block height 4,713,064, according to ad from the osmosis block browser, Mintskan.
Explaining how the bug worked, in a series of Osmosis Discord posts, the RoboMcGobo project moderator detailed how the vulnerability allowed attackers to add liquidity to any Osmosis LP and then immediately withdraw it with a refund of 150% of their original deposit: “Essentially, the feature gave 50% more LP shares to join,” RoboMcGobo wrote just after 4pm on Wednesday, adding, “If someone were to get 10 LP shares, 15 would be received.”
RoboMcGobo explained that the bug was “intentionally exploited by a small number of users” and “apparently unintentionally by some others”. According to the Osmosis Twitter thread, four attackers are responsible for 95% of the total exploit, with two of them volunteering to recover the stolen funds.
– Identified 4 people who account for 95%+ of the implemented number of exploits.
– 2 out of 4 persons declared their intention to return the spent amount in full.
— Osmosis (@osmosiszone) June 8, 2022
About an hour after Osmosis’s tweet about the FireStake attack, a validator in the Cosmos ecosystem posted a thread on Twitter admitting that a “temporary sane bug” resulted in two members of his team exploiting an approximately $2 million bug. .
Firestake told its 1,700 Twitter followers that they are “thinking about [their] the future of the family” as they continued to exploit the error. However, after admitting that they were “nervous all night” about the event, they decided to voluntarily return the funds and “clean up the mess”.
Expensive @osmosiszone community, many of you are aware of yesterday’s Osmosis LP bug.
Not believing in reality, two members @fire_stake started testing to see if there was a bug, testing escalated into a temporary error of common sense and…
— Firestake | Validator (@stake_fire) June 8, 2022
According to mail from Osmosis co-founder Sunny Aggarwal, the other two hackers responsible for the theft made a series of transactions on centralized exchanges, which Aggarwal believes will make them easier to trace.
RoboMcGobo echoed Aggarwal’s words on the project’s Discord: “Funds have been linked to CEX accounts. Law enforcement has been notified…we hope the exploiters do the right thing so aggressive action is not needed.”
Credit : cointelegraph.com