Osmosis looses $5M to Hackers after LP bug exploit

By: Micheal Wilson

June 10, 2022 5:57 AM

Osmosis was exploited after a reddit post identified a bug on its LP which resulted in a $5M loss.

Hackers have exploited a bug in the Osmosis DEX which amounts to $5M as FireStake validators admit to their role in racking up approximately $2M in the LP attack.

The decentralized exchange (DEX) which is built on the Cosmos network, was halted just before 7:00 am GMT on Wednesday after the hackers exploited a liquidity provider (LP) bug amounting to roughly $5 million.

A reddit user brought attention to this bug in a post on the official Cosmos Network page on reddit. The user, named Straight-Hat3855, brought notified the community of the problem with Osmosis DEX (OSMO) that allowed users to arbitrarily grow LPs by 50% just by adding and removing liquidity. However, the Reddit post was quickly deleted, but seems to be a little too late before malicious actors took advantage of the situation, which saw an approximately $5 million wiped out from liquidity pools on the Osmosis decentralized exchange.

Meanwhile, immediately after the exploit of the LP bug, the Osmosis DEX was halted at a block height of 4,713,064, according to an announcement from Mintscan the Osmosis block explorer.

RoboMcGobo, an Osmosis Discord project operator explained how the LP flaw was exploited. He detailed how the flaw allowed Hackers to add liquidity to any Osmosis LP and then immediately withdraw it for a 150% return on their initial deposit.

The Osmosis Discord project operator wrote just after 4:00 pm on Wednesday, saying: “If one should have gotten 10 LP shares, 15 would be achieved out,” he added that the function would give 50% too many LP shares for a join.

RoboMcGobo explained that the bug was “exploited intentionally by a small number of users” and “seemingly unintentionally by a few others.” According to a Twitter thread from Osmosis, four attackers were responsible for 95% of the total exploit amount, with two of the attackers voluntarily stepping forward to return stolen funds.

However, in about one hour following Osmosis’ official tweet on the attack, a validator in the Cosmos ecosystem named Firestake, shared a Twitter thread admitting that two members of its team exploited the bug to the extent of approximately $2 million. Although, these funds would be returned voluntarily after Firestake confirmed to its 1,700 Twitter followers it wants to set things straight.

Osmosis co-founder Sunny Aggarwal made a post confirming the other two hackers responsible for the theft made a series of transactions to centralized exchanges, which he believes will make it easier to track them down.