tl;dr Summary: A bug was introduced as part of the new version 9.0 update to Osmosis, resulting in attackers draining $5 million from this popular DEX on the Cosmos ecosystem.
On June 8, 2022, the Osmosis team released their new version, v9.0, which contained a critical bug. This bug could potentially lead to attackers draining all the liquidity from their pool.
The problem was spotted and reported by Reddit user Straight Hat, who said he found a bug on Osmosis that allowed him to take out 50% more than he put in. Initially, people had a tough time believing his claims until they tried it.
Another user, Junønaut reported that it is pretty easy to take advantage of this bug. All that is required is adding some liquidity to the pool, taking it out with 50% extra, and then repeating the process. He also shared an example of an address that repeatedly exploited this bug to make massive gains.
Once the validators noticed the issue, the Osmosis team stopped the chain to prevent further damage.
Responding to the community, the Osmosis team reassured them that the liquidity pools are mostly intact and that the loss so far amounted to approximately $5 million. They also mentioned that the devs are working on fixing the problem.
The team also identified four persons who accounted for 95% of the stolen assets. Out of which two agreed to refund the money. The remaining two used centralized exchanges to move these assets with which the team was in contact to help recover them.
The Osmosis team tweeted:
“The bug itself was simple. It involved incorrect calculation of LP shares when adding and removing liquidity from pools. It should have been caught. It was painfully overlooked in internal testing. That was focused on more advanced functionality related to the upgrade.”
They also said that the Osmosis development team takes full responsibility for lost funds since this was a technical bug and assured the community that this would never happen again.
The latest update tells us that the validators restarted the chain with the new code yesterday at 14:00 UTC. To compensate for the downtime, the first five blocks to be validated will be “Epoch” blocks.
Osmosis has a special place within the Cosmos ecosystem. It is the only DEX made using the inter-blockchain (IBC), which allows for the exchange of assets with other IBC-supported blockchains on its platform. To complement great tech, how the Osmosis community comprising its users and developers came together in this time of crisis to collectively address the problem needs acknowledgment.
