Osmosis DEX On The Cosmos Ecosystem Exploited for $5 million 

• Osmosis DEX on the Cosmos Blockchain was recently exploited for $5 million
• The DEX’s bug was first flagged by an anonymous user on Reddit. 

Osmosis, a reputed blockchain on the Cosmos ecosystem, was reportedly exploited today for $5 million. The network had to undergo an abrupt halt to save the remaining liquidity on the network. According to the DEX’s official discord, the osmosis chain was halted citing an “emergency maintenance”, alerting users to not use the chain or the DEX for any crypto activities for the time being. 

What Happened? 

According to multiple user accounts on Twitter, the DEX’s validators on Discord reported issues with the V9 nitrogen upgrade due to which an emergency halt was imposed to save the remaining liquidity on the network from getting exploited. 

On Discord, validators started reporting issues after the v9 Nitrogen upgrade and an emergency halt has been announced to save the remaining liquidity on the DEX. pic.twitter.com/uB0RcFZqdC

— Junønaut (@TheJunonaut) June 8, 2022

Before its identification, the bug had ended up impacting the DEX’s general performance and had suffered a crucial exploit that resulted in the DEX losing $5 million. The network’s core development team and validators had to halt the chain at block #4713064 to protect the DEX from encountering further damage. 

A Twitter user Junonaut explained the nature of the Osmosis exploit in detail adding that the incident was first flagged on reddit where a user claimed that Osmosis had undergone a serious exploit where anyone can add liquidity to any pool and gain an extra 50% when they remove it. 

It started with https://t.co/rifoL5mwMW claiming there is a serious exploit where anyone can add liquidity to any pool and gain an extra 50% when they remove it.

At first no one believed for a moment that it was true, until they tried it.

This is one heroic bug report. pic.twitter.com/OF346gMCzd

— Junønaut (@TheJunonaut) June 8, 2022

In addition to this, the Osmosis team took to Twitter to clarify their stance, adding that their team is working towards solving the critical bug issue. However, Osmosis also confirmed that they have lost funds worth $5 million and are working towards formulating a recovery plan. 

“Liquidity pools were NOT “completely drained”.Devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery. More info to come.” Osmosis team tweeted 

Liquidity pools were NOT "completely drained".

Devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery.

More info to come. https://t.co/WOu7MMgSUM

— Osmosis 🧪 (@osmosiszone) June 8, 2022

In the meantime, the bug rendered the network vulnerable to multiple attacks. The Junonaut data further demonstrates how certain mischievous users repeatedly took advantage of the situation to drain funds from the Osmosis chain. 

Damage has been done where users started taking advantage of this process while it is prone to the snowball effect.

For example this address has repeatedly executed the bug for more than 30 minutes, IBC transferring ~75K $ATOM from Osmosis.https://t.co/Nb3qhhBngQ pic.twitter.com/f3cRhvBNF5

— Junønaut (@TheJunonaut) June 8, 2022

However, the team has recently announced that it has identified the bug and a patch has been written for the same. The Osmosis team will be further conducting additional tests before they restart the network. 

Update: The bug has been identified and a patch written.

More testing is underway before validators are recommended to coordinate a restart.

Full bug report and action plan for more thorough and proper end to end testing of chain upgrades to follow in coming days. https://t.co/DjJMOEQxrT

— Osmosis 🧪 (@osmosiszone) June 8, 2022

Image; Osmosis Zone/Twitter