On June 7, someone posted a Reddit thread that was later deleted by the forum’s moderator. The thread contained a serious claim — the Osmosis network had a bug that allowed liquidity providers to earn an extra 50% when adding and withdrawing liquidity.
Osmosis (OSMO) is a blockchain in the Cosmos ecosystem that offers a decentralized exchange and wallet.
The claim appeared improbable until the network was halted for emergency maintenance.
Hello @osmosiszone friends. As of block #4713064 the Osmosis chain has been halted for emergency maintenance.
At this time the Osmosis DEX and Wallet are inoperable, until repairs are completed.
?Please stand by as Devs work to get us back on.
— ??EmperorOsmo(Hathor Nodes)?? (@Flowslikeosmo) June 8, 2022
Although the Osmosis team did not acknowledge an exploit at the time, the halt came about after a few attackers drained around $5 million.
Liquidity pools were NOT “completely drained”.
Devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery.
More info to come. https://t.co/WOu7MMgSUM
— Osmosis ? (@osmosiszone) June 8, 2022
The Osmosis team has identified the bug and developed a patch that is being tested before deployment. Developers are still working on restarting the network.
Update: The bug has been identified and a patch written.
More testing is underway before validators are recommended to coordinate a restart.
Full bug report and action plan for more thorough and proper end to end testing of chain upgrades to follow in coming days. https://t.co/DjJMOEQxrT
— Osmosis ? (@osmosiszone) June 8, 2022
So this is how the attackers managed to exploit the network, as shown by on-chain activity:
A Twitter user pointed out in a thread that one of the attackers added liquidity in the form of USD Coin (USDC) and OSMO. The attacker then received GAMM LP tokens in return, which represented their share in the pool. These perpetrators immediately withdrew the GAMM LP tokens, thereby gaining 50% extra than the amount of USDC and OSMO that had been added as liquidity.
First off, apparently a subredditer called this out a while back – so props to them.
➼ So the wallet (osmo1hq) is the exploiter.
First he provides Liquidity in the form of $USDC (I verified this in the source code) + $OSMO
He then recieves $GAMM LP tokens in return. pic.twitter.com/K3JzrDRPMN
— Andeh #OnChain (@0xLosingMoney) June 8, 2022
The perpetrator then swapped the OSMO tokens for ATOM and sent them to other wallets. This same process was repeated over and over again — each time the attacker gained 50% more tokens.
Most of the proceeds in OSMO were swapped for ATOM and transferred to a wallet that contains $9 million worth of ATOM tokens, the Twitter thread said. However, this wallet did not include the USDC tokens the attacker gained by exploiting the bug — the USDC tokens were neither swapped nor transferred, the thread added.
Once he’s had his fun,
➼ He sends the $ATOM out to a chain of other wallets.
It’s hard to tell on the https://t.co/o02L0T5QtQ scanner how much in total it was, but I tracked the wallets and… pic.twitter.com/dchu2pDgQG
— Andeh #OnChain (@0xLosingMoney) June 8, 2022
Osmosis identifies attackers; FireStake comes forth
Four attackers have been identified as the key perpetrators who stole over 95% of the exploited amount, according to a Twitter thread by Osmosis. Two out of the four attackers have volunteered to return the complete stolen funds. The other two have transactions to and from centralized exchanges, which have been alerted to identify the perpetrators and recover the funds.
Update:
– 4 individuals have been identified that account for 95%+ of realized exploit amount.
– 2 out of the 4 individuals has proactively expressed intent to return the exploited amount in full.
— Osmosis ? (@osmosiszone) June 8, 2022
Barely an hour after Osmosis’ Tweet regarding the attackers, FireStake — a validator in the Cosmos ecosystem — came forward in a Tweet and admitted to exploiting the LP bug but noted that they are trying to “set things right” and working with the Osmosis team to return the exploited funds.
Dear @osmosiszone community, many of you know about the Osmosis LP bug that occurred yesterday.
In disbelief of it being real, two members of @fire_stake started testing to see if the bug existed, testing grew into a temporary lapse in good judgment, and…
— FireStake | Validator (@stake_fire) June 8, 2022
in the process, we managed to convert $226 USD to ~$2M. We were thinking about our family’s future, and not the future of our community.
Shortly after doing so, we stressed throughout the night about how we can set things right. We’re currently working with the Osmosis team…
— FireStake | Validator (@stake_fire) June 8, 2022
to return the funds as soon as possible. We’re also working with the Osmosis team to encourage anyone else who took advantage of this situation to please come forward and return funds.
You’re welcome to come to us, and we can help act as a liaison. We need to make this right.
— FireStake | Validator (@stake_fire) June 8, 2022
Source: https://cryptoslate.com/attackers-drain-5-million-from-osmosis-firestake-validator-admits-to-exploiting-lp-bug/