Pools of cash drained on Osmosis
Early this morning, a flaw was discovered in the liquidity pools of the decentralized exchange (DEX) Osmosis (OSMO) which relies on its own dedicated blockchain. The information, first revealed by a user of the Reddit platform (the post has since been deleted), was officially confirmed by the Osmosis teams on Twitter.
Liquidity pools were NOT “completely drained”.
Devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery.
More info to come. https://t.co/WOu7MMgSUM
— Osmosis 🧪 (@osmosiszone) June 8, 2022
In order to prevent possible further financial damage, the blockchain that supports the DEX has been shut down at block n°4 713 064 according to explorer mintscan. However, a malicious user had time to exploit the loophole in his interest.
According to Osmosis, the amount of larceny would be around 5 million dollars. The thief’s transactions (visible on the block explorer) have been finalized 2 blocks before blockchain shutdown.
According to the latest press release from the teams in charge of the protocol, the flaw has been identified and a patch has been applied accordingly. Internal tests are in progress in order to verify if a similar flaw is not exploitable, and restart orders will then be communicated to the validators of the network in order to be able to resume operations as soon as possible.
However, it is expected that a detailed report is communicated in the next few days and that a series of in-depth tests are put in place by the technical teams on the blockchain in order to propose a possible update of the network.
👉 Also read: 7 best practices to protect your cryptocurrency portfolio from a hack
The course of the attack
According to the Reddit user who first reported the flaw, it is was located directly at the level of the liquidity pools themselves. According to his observation, if a DEX user contributed liquidity to a pool, he was able to withdraw it. 50% more, without any lock-in period.
The attacker has thus multiplied transactions using this method. However, he may have discovered it by pure chance.
Indeed, according to the on-chain data, only 26 OSMO tokens (about $30 at the time of the attack) was added to the liquidity pool in the first trade, resulting in an initial profit of 13 additional OSMOs when withdrawing.
The second transaction is much more substantial: the malicious user deposited 101,230 OSMO tokens (i.e. over $116,000 at the time of the attack) into the pool, a gain of $58,207 in the form of OSMO.
He thus repeated the operation in a loop, each time with a larger amount, before transfer part of its tokens to another wallet from which he again repeated the operation. There are therefore, in total, approximately $5 million that have been siphoned off by this process.
The price of the OSMO token was impacted to a lesser extent, suffering a loss in value of the order of 7% over 24 hours. He exchanges currently at $1.11far from its ATH (highest price) of $11.25 reached on March 4, 2022.
👉 On the same subject: Bored Ape Yacht Club (BAYC) Discord server hacked, 32 NFTs are stolen
Get a crypto news recap every Sunday 👌 And that’s it.