Attackers loot $5M from Osmosis in LP exploit, $2M returned soon after
Attackers have exploited a bug in the Osmosis exchange to the tune of $5M as FireStake validators admit to their role in racking up roughly $2M before stepping forward.
Osmosis, a decentralized exchange (DEX) built on the Cosmos network, was halted just before 3:00 am EST on Wednesday after attackers exploited a liquidity provider (LP) bug to the tune of roughly $5 million.
The bug was first identified in a Reddit post on the official Cosmos Network page. The user, Straight-Hat3855, brought attention to a “serious problem” with Osmosis (OSMO) that allowed users to arbitrarily grow LPs by 50% simply by adding and removing liquidity. The Reddit post was quickly removed, but not before malicious actors took advantage of the bug, which saw approximately $5 million removed from liquidity pools on the Osmosis exchange.
Following the exploit and the identification of the LP bug, the Osmosis exchange was halted at a block height of 4,713,064, according to an announcement from Osmosis block explorer Mintscan.
Explaining how the bug worked in a series of posts in the Osmosis Discord was project moderator RoboMcGobo, who detailed how the flaw allowed attackers to add liquidity to any Osmosis LP and then immediately withdraw it for a 150% return on their initial deposit: “Essentially, the function would give 50% too many LP shares for a join,” RoboMcGobo wrote just after 4:00 pm on Wednesday, adding: “If one should have gotten 10 LP shares, 15 would be achieved out.”
RoboMcGobo explained that the bug was “exploited intentionally by a small number of users” and “seemingly unintentionally by a few others.” According to a Twitter thread from Osmosis, four attackers were responsible for 95% of the total exploit amount, with two of the attackers voluntarily stepping forward to return stolen funds.
Update:
- 4 individuals have been identified that account for 95%+ of realized exploit amount.
- 2 out of the 4 individuals has proactively expressed intent to return the exploited amount in full.
17 comments