Osmosis Exploited For $5M Due To Contract Bug

Four attackers were responsible for stealing at least 95% of the money. Two have already said they will return the money they had stolen, according to co-founder Sunny Aggarwal.

By: Aleksandar Gilbert Loading...

Osmosis Exploited For $5M Due To Contract Bug

Osmosis, a decentralized exchange in the Cosmos ecosystem, was taken offline on Jun. 8 after hackers drained an estimated $5M from its liquidity pools.

Osmosis co-founder Sunny Aggarwal said four attackers were responsible for stealing at least 95% of the money. Two have already said they will return the money they had stolen, Aggarwal added.

Osmosis, an inter-chain automated market maker, had approximately $212M in total value locked as of Wednesday afternoon. The hackers exploited a bug in Osmosis, according to posts from a moderator in the project’s Discord.

“Essentially, the function would give 50% too many LP shares for a join,” moderator RoboMcGobo wrote shortly after noon Wednesday. “So if one should have gotten 10 LP shares, 15 would be achieved out.”

The bug was exploited intentionally by “a small number” of people and “seemingly unintentionally by a few others,” RoboMcGobo added.

Reddit to the Rescue

The exploit was apparently first flagged by a Reddit user. After it was discovered, validators coordinated an emergency halt within 12 minutes — before some of the stolen money could be sent off-chain, RoboMcGobo said. “It is likely that some temporary measures will be taken to prevent further losses until governance can make a decision on the final disposition of those funds.”

As of 5 p.m. ET Wednesday, a proposal was yet to be put forward and voted on by the Osmosis community.

At least one person claiming to have taken advantage of the bug confessed publicly.

‘Lapse in Judgement’

“In disbelief of it being real, two members of @fire_stake” — a staking service for delegators of the Cosmos blockchain — “started testing to see if the bug existed,” reads a post on FireStake’s Twitter account.

That “testing” grew into “a temporary lapse in good judgment, and in the process, we managed to convert $226 USD to ~$2M,” the post continued. “We were thinking about our family’s future, and not the future of our community.”

The post goes on to say that the FireStake members who exploited the bug had a change of heart and are now working with Osmosis to return the pilfered assets.

CEX Links

According to Aggarwal, the other two hackers who stole the vast majority of the remaining money have made transactions with centralized exchanges. Crypto exchanges must comply with know-your-customer laws, making it far easier to identify bad actors.

“Funds have been linked to CEX accounts. Law enforcement has been notified,” RoboMcGobo wrote. “We’re hopeful that the exploiters will do the right thing here so that aggressive action will not be necessary.”