Decentralized financial (DeFi) protocol based on Cosmos, Osmosis Network, has been breached, with the losses amounting to at least $5 million.
The Osmosis Network hack
There was a bug in the Osmosis Network, and a Reddit user pointed out in a post that anyone who deposits funds in the pool would gain an extra 50% when they remove the funds. Notably, the post has now been deleted.
The users began stealing the funds rapidly, taking advantage of the situation. In one such scenario, a user provided liquidity of 101,230 OSMO and made a 50% profit from the same, exiting his position with 151,084 OSMO tokens. This process was repeated almost 30 times.
Validators of the Osmosis Network decided to report issues on Discord following the v9 Nitrogen upgrade, and the blockchain was halted to save the remaining liquidity on the decentralized exchange.
For the time being, the Osmosis DEX and its native wallet remain inoperative. According to the network’s official Twitter handle, “the software error that led to the chain halt was introduced in the latest Osmosis v9.0 update that went live yesterday.”
Transparency and open-communication is what makes the Osmosis community so much stronger than what came before.
The software error that led to the chain halt was introduced in the latest Osmosis v9.0 update that went live yesterday.
— Osmosis 🧪 (@osmosiszone) June 8, 2022
“Thankfully, the swift and decisive action taken by Osmosis validators and community members allowed the scope of exploitation to be relatively small. While the detailed calculation is still in progress, the total amount overdrawn is estimated at around $5M,” the network revealed.
Around one hour after Osmosis’ statement on the assault, FireStake, a validator in the Cosmos ecosystem, tweeted a Twitter thread revealing that two members of its staff exploited the vulnerability to the extent of $2 million. Furthermore, all losses will be covered, and information on the recovery plan will be revealed soon. The Twitter post added that “the bug itself was simple, and involved the incorrect calculation of LP shares when adding and removing liquidity from pools. It should have been caught. It was painfully overlooked in internal testing that was focused on more advanced functionality related to the upgrade.”