Cosmos-based DeFi protocol, Osmosis Network, was halted at block #4713064 on June 8th after spotting a critical vulnerability in its liquidity pools. The exploit took place just two blocks before the halt.
- The attack was first reported by a Reddit user who warned if a customer deposits funds to an Osmosis pool would gain an extra 50% when removing it. The post has since been deleted.
- But users began exploiting the vulnerability soon after to steal funds from Osmosis.
- In one case, a malicious entity provided liquidity of 101,230 OSMO and made a 50% profit after exiting the position a few seconds later with 151,084 OSMO tokens. They managed to repeat this process at least 30 times.
- It was only after the validators started reporting issues on Discord following the v9 Nitrogen upgrade that an emergency halt was employed to save the remaining liquidity on the decentralized exchange.
- As a result, the Osmosis DEX and its native wallet remain inoperative for the time being.
- Without divulging more details on the exact nature of the vulnerability, the DeFi protocol revealed identifying the bug and writing a patch.
- The devs are currently testing the protocols before recommending the validators to restart the network.
“Update: The bug has been identified and a patch written. More testing is underway before validators are recommended to coordinate a restart. Full bug report and action plan for a more thorough and proper end to end testing of chain upgrades to follow in coming days.”
- Later on, the team behind the protocol provided more information on what transpired, including admitting that $5 million were overdrawn and promising to return all lost funds.
- Before giving more updates on the matter, the protocol will implement “multiple changes and upgrades to our security protocols to ensure the quality and safety of Osmosis.”