Osmosis is the latest to suffer a loss to the tune of $5 million after hackers exploited a liquidity provider (LP) bug. The incident happened when a user, Straight-Hat3855, posted about the vulnerability on Reddit. The user said there is a serious problem with Osmosis that allowed users to grow LPs by 50% just by adding and removing liquidity.
The Reddit post was removed quickly but it had already caught the attention of malicious actors who took advantage and struck. As such, $5 million was removed from the liquidity pools on the Osmosis exchange. The exploitation halted the platform at a block height of 4,713,064.
RoboMcGobo, a project moderator, had detailed the flaw in a series of posts in the Osmosis Discord. He had outlined how the vulnerability allowed hackers to add liquidity to any Osmosis LP and immediately withdraw it for a 150% return on their initial deposit. The project moderator wrote that the function would give 50% too many LP shares for a join. He said that if one should have gotten 10 LP shares, 15 would be achieved out.
The moderator pointed out that the bug was exploited intentionally by a small number of users, and unintentionally by a few others. Four attackers, as per a Twitter thread from Osmosis, were responsible for 95% of the total exploit amount. Two attackers voluntarily stepped forward to return the stolen funds.
Firestake, a validator in the Cosmos ecosystem, admitted through a tweet that a temporary lapse in good judgment saw two members of its team exploit the bug whereby the exchange lost roughly $2 million. It said they were thinking about their family’s future when they continued to exploit the bug. But they decided to voluntarily return the funds after stressing through the night.