Cosmos-based DeFi Protocol Exploited for $5M, Devs Write Patch After Identifying Bug

Cosmos-based DeFi protocol, Osmosis Network, was halted at block #4713064 on June 8th after spotting a critical vulnerability in its liquidity pools. The exploit took place just two blocks before the halt.

  • The attack was first reported by a Reddit user who warned if a customer deposits funds to an Osmosis pool would gain an extra 50% when removing it. The post has since been deleted.
  • But users began exploiting the vulnerability soon after to steal funds from Osmosis.
  • In one case, a malicious entity provided liquidity of 101,230 OSMO and made a 50% profit after exiting the position a few seconds later with 151,084 OSMO tokens. They managed to repeat this process at least 30 times.
  • It was only after the validators started reporting issues on Discord following the v9 Nitrogen upgrade that an emergency halt was employed to save the remaining liquidity on the decentralized exchange.
  • As a result, the Osmosis DEX and its native wallet remain inoperative for the time being.
  • Without divulging more details on the exact nature of the vulnerability, the DeFi protocol revealed identifying the bug and writing a patch.
  • The devs are currently testing the protocols before recommending the validators to restart the network.

“Update: The bug has been identified and a patch written. More testing is underway before validators are recommended to coordinate a restart. Full bug report and action plan for a more thorough and proper end to end testing of chain upgrades to follow in coming days.”

  • Later on, the team behind the protocol provided more information on what transpired, including admitting that $5 million were overdrawn and promising to return all lost funds.
  • Before giving more updates on the matter, the protocol will implement “multiple changes and upgrades to our security protocols to ensure the quality and safety of Osmosis.”