On June 7, someone posted a רעדדיט פאָדעם that was later deleted by the forum’s moderator. The thread contained a serious claim — the Osmosis network had a bug that allowed liquidity providers to earn an extra 50% when adding and withdrawing liquidity.
Osmosis (OSMO) is a blockchain in the Cosmos ecosystem that offers a decentralized exchange and wallet.
The claim appeared improbable until the network was halted for emergency maintenance.
העלא @אָסמאָסיסזאָנע friends. As of block #4713064 the Osmosis chain has been halted for emergency maintenance.
At this time the Osmosis DEX and Wallet are inoperable, until repairs are completed.
?Please stand by as Devs work to get us back on.
— ??EmperorOsmo(Hathor Nodes)?? (@Flowslikeosmo) יוני קסנומקס, קסנומקס
Although the Osmosis team did not acknowledge an exploit at the time, the halt came about after a few attackers drained around $5 million.
Liquidity pools were NOT “completely drained”.
Devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery.
More info to come. https://t.co/WOu7MMgSUM
— אָסמאָסיס? (@osmosiszone) יוני קסנומקס, קסנומקס
The Osmosis team has identified the bug and developed a patch that is being tested before deployment. Developers are still working on restarting the network.
דערהייַנטיקן: דער זשוק איז יידענאַפייד און אַ לאַטע געשריבן.
מער טעסטינג איז אַנדערוויי איידער וואַלאַדייטערז זענען רעקאַמענדיד צו קאָואָרדאַנאַט אַ ריסטאַרט.
גאַנץ זשוק באַריכט און קאַמף פּלאַן פֿאַר מער גרונטיק און געהעריק סוף צו סוף טעסטינג פון קייט אַפּגריידז צו נאָכפאָלגן אין קומענדיק טעג. https://t.co/DjJMOEQxrT
— אָסמאָסיס? (@osmosiszone) יוני קסנומקס, קסנומקס
So this is how the attackers managed to exploit the network, as shown by on-chain activity:
A Twitter user pointed out in a thread that one of the attackers added liquidity in the form of USD Coin (וסד) and OSMO. The attacker then received GAMM LP tokens in return, which represented their share in the pool. These perpetrators immediately withdrew the GAMM LP tokens, thereby gaining 50% extra than the amount of USDC and OSMO that had been added as liquidity.
First off, apparently a subredditer called this out a while back – so props to them.
➼ So the wallet (osmo1hq) is the exploiter.
First he provides Liquidity in the form of $ וסד (I verified this in the source code) + $ אָסמאָ
He then recieves $GAMM LP tokens in return. pic.twitter.com/K3JzrDRPMN
— Andeh #OnChain (@0xLosingMoney) יוני קסנומקס, קסנומקס
The perpetrator then swapped the OSMO tokens for ATOM and sent them to other wallets. This same process was repeated over and over again — each time the attacker gained 50% more tokens.
Most of the proceeds in OSMO were swapped for ATOM and transferred to a wallet that contains $9 million worth of ATOM tokens, the Twitter thread said. However, this wallet did not include the USDC tokens the attacker gained by exploiting the bug — the USDC tokens were neither swapped nor transferred, the thread added.
Once he’s had his fun,
➼ He sends the $ אַטאָם out to a chain of other wallets.
It’s hard to tell on the https://t.co/o02L0T5QtQ scanner how much in total it was, but I tracked the wallets and… pic.twitter.com/dchu2pDgQG
— Andeh #OnChain (@0xLosingMoney) יוני קסנומקס, קסנומקס
Osmosis identifies attackers; FireStake comes forth
Four attackers have been identified as the key perpetrators who stole over 95% of the exploited amount, according to a Twitter thread by Osmosis. Two out of the four attackers have volunteered to return the complete stolen funds. The other two have transactions to and from centralized exchanges, which have been alerted to identify the perpetrators and recover the funds.
דערהייַנטיקן:
– 4 individuals have been identified that account for 95%+ of realized exploit amount.
– 2 out of the 4 individuals has proactively expressed intent to return the exploited amount in full.
— אָסמאָסיס? (@osmosiszone) יוני קסנומקס, קסנומקס
Barely an hour after Osmosis’ Tweet regarding the attackers, FireStake — a validator in the Cosmos ecosystem — came forward in a Tweet and admitted to exploiting the LP bug but noted that they are trying to “set things right” and working with the Osmosis team to return the exploited funds.
ליב @אָסמאָסיסזאָנע community, many of you know about the Osmosis LP bug that occurred yesterday.
In disbelief of it being real, two members of @fire_stake started testing to see if the bug existed, testing grew into a temporary lapse in good judgment, and…
— FireStake | וואַלידאַטאָר (@stake_fire) יוני קסנומקס, קסנומקס
אין דעם פּראָצעס, מיר געראטן צו בייַטן $ 226 וסד צו ~ $ 2 מיליאָן. מיר האָבן געטראַכט וועגן דער צוקונפֿט פון אונדזער משפּחה, און נישט די צוקונפֿט פון אונדזער קהל.
באלד נאָך דעם, מיר סטרעסט איבער די נאַכט ווי מיר קענען שטעלן די זאכן רעכט. מיר זענען דערווייַל ארבעטן מיט די אָסמאָסיס מאַנשאַפֿט ...
— FireStake | וואַלידאַטאָר (@stake_fire) יוני קסנומקס, קסנומקס
to return the funds as soon as possible. We’re also working with the Osmosis team to encourage anyone else who took advantage of this situation to please come forward and return funds.
You’re welcome to come to us, and we can help act as a liaison. We need to make this right.
— FireStake | וואַלידאַטאָר (@stake_fire) יוני קסנומקס, קסנומקס
Source: https://cryptoslate.com/attackers-drain-5-million-from-osmosis-firestake-validator-admits-to-exploiting-lp-bug/