Michaël van de Poppe - 09 June 2022
Osmosis suffers $5M loss due to exploit
Osmosis became the latest victim of an exploit, resulting in losses running in the millions.
DEX for the Cosmos ecosystem
Osmosis is an AMM protocol which currently acts as THE liquidity hub of the Cosmos network. It is unique in its design because of the customizability it offers to AMM designers, combined with a governance mechanism by which each AMM pool’s liquidity providers can govern and direct their pools. It is because of these functionalities the Osmosis DEX offers great flexibility in terms of liquidity provisioning and governance of the protocol.
$5 mln bug
On June 8th 2022 a bug was identified by a Reddit user by the name of Straight-Hat3855. The user described an error regarding the liquidity pools where they could add and remove liquidity from any pool, promptly gaining an additional 50% on top of their initial deposit. An hour later the post was removed by a moderator of the subreddit, but it did not go unnoticed. You can find the post here.
Some operators quickly flocked to the chain to abuse the bug, with Osmosis estimating a loss in the range of $5M. Twitter user @TheJunonaut was on the case immediately and shared an address which abused the bug in the span of 30 minutes, draining about 75,000 $ATOM from the Osmosis Hub. @TheJunonaut also noted that some validators had been reporting issues in the Osmosis Discord following the ‘v9 Nitrogen’ upgrade to the chain.
The v9 Nitrogen upgrade is an update to the Osmosis chain which came with some interesting features such as the token factory module, upgrades to governance and the implementation of IBC v3. It is worth noting the upgrade went live only a few hours before the bug was identified. If you’d like to learn more about the v9 Nitrogen upgrade please refer to the official blog post and/or the governance proposal.
The team responds
The Osmosis team was quick to react by halting the chain, identifying the bug and even writing the patch to fix the bug within 24 hours. The patch is currently being tested properly before validators will restart the network, with a full bug report and action plan coming up in a few days.
Following the first 24 hours the team was able to share more information regarding the bug, the lost funds and the steps taken by the team. It turns out that the bug was quite simple, but that it had been overlooked in the testing phase because of their focus on more advanced functionalities. Regarding the lost funds, the team has identified 4 wallets that account for 95% of the exploited amount. 2 out of the 4 wallet holders have expressed intent to return the exploited amount in full, while the other 2 had already withdrawn the funds to exchanges. It is noteworthy that 1 of the 2 wallets that came forward was one of Osmosis’ own validators, who claim they were able to turn $226 in to $2M. The exchanges and law enforcement have been informed about the other 2 wallets, and appropriate action will be taken in case the exploited funds are not returned. Apart from that the team is taking full responsibility for the lost funds and will be paying back any remaining lost funds out of their strategic reserve. At last, the team claims that the bug will be fixed and the chain will be up and running again within a few days, after they have worked out the testing process.
This debacle is a great example of how alternative Layer 1’s can still be flawed and have bugs, because they have not stood the test of time like $BTC and $ETH have. It is always worth taking precaution when engaging in investment or trading of alternative tokens, keeping in mind that the battle tested networks like Bitcoin and Ethereum are way more trustworthy than altcoins. It is also worth noting how the developers react to such instances. In this instance the Osmosis devs have been relatively quick to react to the bug, halting the chain quickly and working on a fix all within 24 hours. All while communicating each step taken with the community. Even though there has been an estimated loss of $5M, the response of the devs has been commendable thus far.
Awaiting full report of team
We will have to wait for the full bug report and action plan to be able to draw concrete conclusions about the approach of the devs. It will be worth paying attention to the fact if this incident has had any impact on the trust of the community. Since Osmosis was the primary DEX in the Cosmos ecosystem, the same holds true for the Cosmos ecosystem itself. Depending on the outcome it is possible some users will move to Crescent, formerly known as Gravity DEX, as an alternative to Osmosis. If the bug will not be fixed soon and the story takes a left turn, it is possible for users to lose trust and move their funds to another chain.
We will be keeping an eye on any updates, and we will be sure to keep you up to date!