Osmosis Suffers $5M Liquidity Pool Exploit

Decentralized exchange (DEX) Osmosis has lost roughly $5 million in tokens after attackers exploited a liquidity provider (LP) bug that appeared after its recent update, the DEX said in a series of tweets.

According to the announcement, the bug allowed users to add liquidity to any Osmosis LP and then immediately withdraw it for a 150% return on their initial investment. The bug was first reported in a Reddit post on 8 June, and while it was removed quickly, users were still able to take advantage of the exploit and drain around $5 million from Osmosis’ liquidity pools.

Osmosis’s team quickly decided to halt the network — which happened at block height 4,713,064 — after the exploit was discovered, and noted that it will remain halted for at least 48 hours. The DEX also assured users that all losses from the exploit will be covered, and that a recovery plan will be available in the near future.

The DEX noted on Twitter that the bug was “exploited intentionally by a small number of users” and “seemingly unintentionally by a few others”, with only four individuals being identified as being responsible for 95% of the exploited amount. Osmosis co-founder Sunny Aggarwal said in a post that two of the attackers have made a series of transactions to centralized exchanges, making them easier to track. He also wrote:

“Law enforcement has been notified. We’re hopeful that the exploiters will do the right thing here so that aggressive action will not be necessary.”

Shortly after Osmosis revealed the bug on Twitter, FireStake admitted that two of its members had exploited the bug for roughly $2 million following “a temporary lapse in good judgment”. After “stressing through the night”, the two decided to come forward and voluntarily return the funds.