A Critical Bug Detected on Osmosis

On June 8, 2022, the Osmosis v9.0 update went live. As it turns out, it contained a critical bug. This bug could potentially drain all liquidity pools. As a result, the Osmosis team halted the chain. Thus, avoiding further damage.

Crypto Twitter was on the lookout. The Osmosis team took swift action and started damage control. So, let’s have a look at how all this played out.

A Bug Detected

Crypto Twitter user Junønaut mentioned this bug first in a thread. He calls himself a crusader of the Juno Network. To clarify, Junø is a DEX in the Cosmos ecosystem. He got his information from the Osmosis and Cosmos Reddit subreddits. So, let’s see what he has to say. (Find out more about Osmosis in our previous article.)

Reddit user Straight Hat was the first to report this. This was on June 8, 2022. He claims that you can add liquidity to any pool and gain an extra 50% when you remove it. Now, that is a serious bug indeed. However, he received a lot of flak, since initially nobody seemed to believe him. That is, until they started to try it out.

As a result, some users started to exploit this bug. Here’s a sample of one wallet that repeatedly joined a pool and exited.

Osmosis

Source: Twitter

To take advantage of this bug and exploit it, you only needed to follow three simple steps.

  1. Add liquidity to a pool.
  2. Remove liquidity from the pool, allowing 50% extra. No bonding needed.
  3. Rinse and repeat.

After the v9.0 update installed on June 8, 2022, validators started to mention issues. This resulted in halting the chain. By doing so, Osmosis can save the remaining liquidity on the DEX.

So, this puts the ball in the hands of the Osmosis team. Let’s see what they came up with.

The Osmosis Team Reacts

The first thing Osmosis mentions in a tweet is that the bug did not drain all pools. However, there is a bug and the devs are in damage control mode. The size of the losses is around $5 million. They are now in full recovery mode. More to follow. This tweet came around two hours after the Junønaut tweet.

Another two hours later, a new tweet mentioned that they identified the bug. They also wrote a patch to fix it. Now they start testing before validators can start up their nodes again. They also start to work on a full bug report. There’s also talk of an action plan for the coming days. This calls for more thorough and proper end-to-end testing of chain upgrades.

The next update takes a few hours. However, it is an interesting update.

  • The Osmosis team identified four persons. These four accounts count for 95% of the exploited amount.
  • Two of the persons will refund the exploited amount.
  • The other two persons made transactions to and from CEXes.
  • The exchanges have received information accordingly. The team asked them to assist them in identifying the exploiters. The next step is to potentially recover the funds. 
  • Osmosis also called law enforcement. This is for further investigations.
  • However, they prefer proactive cooperation. 
  • Work is in progress for restarting the chain.

What Is the Most Recent Update?

The most recent update on Twitter is just a few hours old. Here are some highlights.

  • The core team has been on the ball. They are dealing with the situation.
  • The latest Osmosis v9.0 update, which went live on June 8, has the software error. This led to halting the chain.
  • The Osmosis validators and community members alerted everyone. As a result, they could control and contain the damage.
  • The exploiters took around $5 million.
  • Osmosis guarantees that they will cover all losses.
  • They try to do this by recovery of the funds. 
  • Information on a recovery is in the making.
  • Only a small number of wallets took the bulk of the exploited funds. Osmosis expects a high recovery rate from these wallets.

About the bug, the Osmosis team said, “The bug itself was simple. It involved incorrect calculation of LP shares when adding and removing liquidity from pools.

It should have been caught. It was painfully overlooked in internal testing. That was focused on more advanced functionality related to the upgrade.”

They state that the Osmosis development team takes full responsibility. Hence, the strategic reserve takes responsibility for any lost funds. Not the community. They realize that their security process for upgrades didn’t work. In short, they will try to avoid such a situation happening again.

As a result, a testing process is underway. This allows the Osmosis v10 code base to restart the chain. However, they expect this to take until June 11.

The focus now is on short-term recovery of funds. Strengthening security and restarting the chain are also part of this. Thereafter, a more in-depth analysis can start.

Conclusion

Just as we saw with the recent swift action of the Maiar team on Cosmos, this Cosmos team was also on the ball. The Osmosis team took immediate action and thus managed to lessen the impact of the exploit. They isolated and fixed the bug swiftly. Another point that is great to see is their communication with the community. Open, frank, and looking for solutions. That is great to see. 

⬆️For more cryptocurrency news, check out the Altcoin Buzz YouTube channel.

⬆️Find the most undervalued gems, up-to-date research, and NFT buys with Altcoin Buzz Access. Join us for $99 per month now.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.