Osmosis Suffers $5M Liquidity Pool Exploit

  • Osmosis’ bug allowed users to add liquidity to any of its liquidity pools, and immediately withdraw 150% of their initial investment.
  • The DEX noted that four individuals were responsible for 95% of the stolen funds, and that two have already volunteered to return $2 million.
exploit

Shutterstock

Decentralized exchange (DEX) Osmosis has lost roughly $5 million in tokens after attackers exploited a liquidity provider (LP) bug that appeared after its recent update, the DEX said in a series of tweets.

According to the announcement, the bug allowed users to add liquidity to any Osmosis LP and then immediately withdraw it for a 150% return on their initial investment. The bug was first reported in a Reddit post on 8 June, and while it was removed quickly, users were still able to take advantage of the exploit and drain around $5 million from Osmosis’ liquidity pools.

Osmosis’s team quickly decided to halt the network — which happened at block height 4,713,064 — after the exploit was discovered, and noted that it will remain halted for at least 48 hours. The DEX also assured users that all losses from the exploit will be covered, and that a recovery plan will be available in the near future.

The DEX noted on Twitter that the bug was “exploited intentionally by a small number of users” and “seemingly unintentionally by a few others”, with only four individuals being identified as being responsible for 95% of the exploited amount. Osmosis co-founder Sunny Aggarwal said in a post that two of the attackers have made a series of transactions to centralized exchanges, making them easier to track. He also wrote:

“Law enforcement has been notified. We’re hopeful that the exploiters will do the right thing here so that aggressive action will not be necessary.”

Shortly after Osmosis revealed the bug on Twitter, FireStake admitted that two of its members had exploited the bug for roughly $2 million following “a temporary lapse in good judgment”. After “stressing through the night”, the two decided to come forward and voluntarily return the funds.

Discussion
Related Coverage
Beanstalk Farms Loses $182M Following Exploit
  • A flash loan allowed the attacker to obtain enough Beanstalk governance tokens to pass two proposals, enabling him to drain the protocol’s funds.
  • The malicious entity was able to steal 24,830 ETH and 36 million BEAN tokens, which were then laundered through TornadoCash.
April 18, 2022, 4:17 PM
beanstalk farms

Shutterstock

Ola Finance Suffers $3.6M Re-Entrancy Attack
  • The attack happened on the Fuse Network, one of the many blockchains Ola operates on, and took advantage of a vulnerability in one of Ola’s smart contracts.
  • The project has paused all activities on Fuse Network, and noted the attack has not affected its services on other blockchains, which remain operational.
Token Bridge Wormhole Exploited for $334M
  • Since the incident, the Wormhole team has claimed to have found a fix to the exploit, which has already been deployed, and that all funds were safe.
  • The token bridge has also contacted the hacker through his Ethereum address, offering him a $10 million bug bounty if he was willing to return the stolen funds.