A breach was exploited overnight on the liquidity pools of the decentralised exchange (DEX) Osmosis (OSMO), yielding about $5 million for the attacker. The blockchain on which DEX is based has been shut down, a patch has been applied and internal testing is underway before validators restart the network.
Liquidity pools drained on Osmosis
Early this morning, a flaw was discovered in the liquidity pools of the decentralised exchange (DEX) Osmosis (OSMO) which relies on its own dedicated blockchain. The information, first revealed by a user on the Reddit platform (the post has since been deleted), has been officially confirmed by Osmosis teams on Twitter.
Liquidity pools were NOT “completely drained”.
Devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery.
More info to come. https://t.co/WOu7MMgSUM
– Osmosis (@osmosiszone) June 8, 2022
In order to prevent further financial damage, the blockchain supporting DEX was shut down at block 4,713,064 according to the Mintscan explorer. However, a malicious user had time to exploit the flaw for their own benefit.
According to Osmosis, the value of the theft is around $5 million. The thief’s transactions (visible on the block explorer) were finalised 2 blocks before the blockchain was shut down.
According to the latest release from the teams in charge of the protocol, the flaw has been identified and a patch has been applied accordingly. Internal tests are underway to check if a similar flaw is not exploitable, and restart orders will then be communicated to the network validators so that operations can resume as soon as possible.
However, it is expected that a detailed report will be released in the next few days and a series of in-depth tests will be carried out by the technical teams on the blockchain in order to propose a possible update of the network.
The course of the attack
According to the Reddit user who first reported the flaw, it was located directly at the liquidity pools themselves. According to his observation, if a DEX user contributed liquidity to a pool, he was able to withdraw 50% more, and without any lock-in period for the funds.
The attacker thus increased the number of transactions using this method. However, it is possible that he discovered this method by pure chance.
Indeed, according to on-chain data, only 26 OSMO tokens (about 30 dollars at the time of the attack) were added to the liquidity pool in the first transaction, resulting in an initial profit of 13 additional OSMOs upon withdrawal.
The second transaction was much larger: the malicious user deposited 101,230 OSMO tokens (over $116,000 at the time of the attack) into the pool, resulting in a profit of $58,207 in OSMOs.
He then repeated the operation over and over again, each time with a larger amount, before transferring some of his tokens to another wallet from which he repeated the operation again. In total, approximately $5 million was siphoned off through this process.
The price of the OSMO token was impacted to a lesser extent, suffering a loss in value of around 7% over 24 hours. It is currently trading at $1.11, a far cry from its ATH (highest price) of $11.25 reached on March 4, 2022.
