Osmosis Network, a DeFi protocol on the Cosmos blockchain went offline on June 8 at block #4713064, after a glaring vulnerability was detected in the liquidity pools. Just before the halt was initiated, hackers managed to loot nearly $5 million worth of tokens.
Details of the Attack
A Redditor was the first to report the attack. He warned users of the Osmosis Network that they would earn an extra 50% by removing it. The Reddit post has since been taken down. However, users began to exploit the bug to steal funds.
In one instance, a malicious entity provided liquidity of 101,230 OSMO and then removed it soon after, making a 50% profit. The entity managed to do this 30 times in a short time, growing its profit each time.
Validators then began to report issues on Discord after the V9 nitrogen update was an emergency stop implemented to save some of the remaining liquidity. The result was that the Osmosis DEX and its native wallet have been offline since.
The developers did not reveal too many details regarding the attack. However, they revealed that they had identified the bug and created a patch. They are currently testing the protocol before they recommend that validators restart their network. The developers plan to release a full bug report in the coming days.
$5 Million Lost
The team later sent out more details, including an admission that they had lost $5 million to the hackers. They have promised that they will refund everything. They added that they would implement changes and updates to the security protocol, to ensure Osmosis was safe.
New Details Emerge
About an hour after Osmosis Network revealed how much was lost, FireStake came clean regarding their role in the loss of funds. FireStake, a validator in the Cosmos ecosystem, revealed that two members of staff had exploited the vulnerability and made $2 million from their efforts.
The validator added that all losses would be covered, and information on a recovery plan would be released soon. According to the information released by FireStake, the bug itself was quite simple. It entailed a simple miscalculation in the LP shares when adding or removing liquidity from the pool. They added “It should have been caught. It was painfully overlooked in internal testing that was focused on more advanced functionality related to the upgrade.”
However, they did not reveal whether any of the staff who had taken part in the heist would face any consequences. Thus far, the authorities have not indicated whether they will be involved in the recovery efforts. Additionally, no details have been released on what the timelines for compensating those caught up in the exploit will look like.
Winning Back Trust
In the competitive DeFi space, it often takes just a simple mishap to lose your position at the top. While Osmosis Network will likely recover from this hack, it might be difficult to win over new participants. No doubt, competing protocols will benefit from this misstep by the developer team.