Attackers loot $5M from Osmosis in LP exploit, $2M returned soon after

Osmosis, a decentralized exchange (DEX) built on the Cosmos network, was halted just before 3:00 am EST on Wednesday after attackers exploited a liquidity provider (LP) bug to the tune of roughly $5 million.

The bug was first identified in a Reddit post on the official Cosmos Network page. The user, Straight-Hat3855, brought attention to a “serious problem” with Osmosis (OSMO) that allowed users to arbitrarily grow LPs by 50% simply by adding and removing liquidity. The Reddit post was quickly removed, but not before malicious actors took advantage of the bug, which saw approximately $5 million removed from liquidity pools on the Osmosis exchange.

Following the exploit and the identification of the LP bug, the Osmosis exchange was halted at a block height of 4,713,064, according to an announcement from Osmosis block explorer Mintscan.

Explaining how the bug worked in a series of posts in the Osmosis Discord was project moderator RoboMcGobo, who detailed how the flaw allowed attackers to add liquidity to any Osmosis LP and then immediately withdraw it for a 150% return on their initial deposit: “Essentially, the function would give 50% too many LP shares for a join,” RoboMcGobo wrote just after 4:00 pm on Wednesday, adding: “If one should have gotten 10 LP shares, 15 would be achieved out.”

RoboMcGobo explained that the bug was “exploited intentionally by a small number of users” and “seemingly unintentionally by a few others.” According to a Twitter thread from Osmosis, four attackers were responsible for 95% of the total exploit amount, with two of the attackers voluntarily stepping forward to return stolen funds.

Roughly one hour following Osmosis’ tweet concerning the attack, FireStake, a validator in the Cosmos ecosystem, posted a Twitter thread admitting that “a temporary lapse in good judgment” saw two members of its team exploit the bug to the extent of roughly $2 million.

Firestake told their 1,700 Twitter followers that they were “thinking about [their] family’s future” when they continued to exploit the bug. However, after admitting to “stressing through the night” about the event, they decided to voluntarily return the funds and “set things straight.”

According to a post from Osmosis co-founder Sunny Aggarwal, the other two hackers responsible for the theft made a series of transactions to centralized exchanges, which Aggarwal believes will make it easier to track them down.

RoboMcGobo echoed Aggarwal’s words in the project’s Discord, “Funds have been linked to CEX accounts. Law enforcement has been notified… we’re hopeful that the exploiters will do the right thing here so that aggressive action will not be necessary.”

All Dutch and English crypto news!

MetaWin Launches New Base and Arbitrum Layer 2-Powered Swap System, Boasting 2-Second Payment Speeds and Half a Cent Gas Fees

London, United Kingdom, March 28th, 2024, Chainwire MetaWin, the trailblazing platform for on-chain prize competitions, is delighted to announce the incorporation of the Base and Arbitrum...

US Treasurys tokenized on public blockchains top $1B

United States tokenized securities are predominantly held by Franklin Templeton and BlackRock funds. News Own this piece of crypto history Collect this article as NFT Join us on social...

Web3 game Wilder World gets Epic Game Store listing during alpha testing

The makers of Wilder World claim that it will be the “ultimate game” by combining popular genres into a single experience. News Own this piece of crypto...

EGGY surges, outperforming PEPE and FLOKI; analysts see MEDA as another meme coin with potential

EGGY outperforms PEPE and FLOKI despite launching last. PEPE investors plan for a bull run as FLOKI surges by 8% as new features cancel out weekly losses. Milei...

Beste exchanges

Koop je crypto bij Bitvavo