Cosmos-based DeFi protocol, Osmosis Network, was halted at block #4713064 on June 8th after spotting a critical vulnerability in its liquidity pools. The exploit took place just two blocks before the halt.
The attack was first reported by a Reddit user who warned if a customer deposits funds to an Osmosis pool would gain an extra 50% when removing it. The post has since been deleted.
But users began exploiting the vulnerability soon after to steal funds from Osmosis.
In one case, a malicious entity provided liquidity of 101,230 OSMO and made a 50% profit after exiting the position a few seconds later with 151,084 OSMO tokens. They managed to repeat this process at least 30 times.
It was only after the validators started reporting issues on Discord following the v9 Nitrogen upgrade that an emergency halt was employed to save the remaining liquidity on the decentralized exchange.
As a result, the Osmosis DEX and its native wallet remain inoperative for the time being.
Without divulging more details on the exact nature of the vulnerability, the DeFi protocol revealed identifying the bug and writing a patch.
The devs are currently testing the protocols before recommending the validators to restart the network.
“Update: The bug has been identified and a patch written. More testing is underway before validators are recommended to coordinate a restart. Full bug report and action plan for a more thorough and proper end to end testing of chain upgrades to follow in coming days.”
Later on, the team behind the protocol provided more information on what transpired, including admitting that $5 million were overdrawn and promising to return all lost funds.
Before giving more updates on the matter, the protocol will implement “multiple changes and upgrades to our security protocols to ensure the quality and safety of Osmosis.”
The bug itself was simple, and involved incorrect calculation of LP shares when adding and removing liquidity from pools.
It should have been caught. It was painfully overlooked in internal testing that was focused on more advanced functionality related to the upgrade.
— Osmosis (@osmosiszone) June 8, 2022