Osmosis Network Halted, as It Suffers $5 Million Exploit

^(Source)

Evening

Osmosis a popular blockchain on Cosmos network got halted today, due to a bug that caused draining of approximately $5 million worth funds from liquidity pool of its largest dex. As per Mintscan, Osmosis was stopped at block height of 4,713,064 at 02:49 UTC following the discovery of a critical bug.

Latter on Osmosis tweeted, confirming the exploit and saying liquidity pools were not drained completely. They added that the devs are working to access the losses and fixing the bug to restart the network.

The bug was brought to light by a reddit user who warned developers of the criticality. Apparently the bug would cause anyone to withdraw from liquidity pool 50% more than their initial deposit without any locking period.

A user started the exploit by making a test transaction. 26 OSMO were deposited into LP generating a 13 OSMO profit for perpetrator. And 30 seconds latter 101,230 OSMO went into LP, and the exploiter pocketed 151,084 OSMO profit. The whole thing was repeated 30 times making the hacker 70,000 ATOM(swapped from OSMO) worth $600,000 profit. The hacker also transferred his earnings to other accounts and continued exploiting the bug in LP, thereby draining it.

Exact amount of funds drained from LP is still unknown, but it is estimated that the losses may mount up to $5 Millon. As the dev became aware of the exploit they halted the dex to stop the bleeding and are currently working on a patch so that network can be restarted.

Osmosis exploits might be small in comparison to previous mega hacks we have seen so far this year, but it is a reminder that defi space is still young and do comes with a certain level of risks. Its also indicates that even highly reputed defi contracts(like Osmosis) can fall prey to exploits if debugging isn't done with proper due diligence.