A breach was exploited overnight on the liquidity pools of the decentralized exchange (DEX) Osmosis (OSMO), yielding about $5 million for the attacker. The blockchain on which DEX is based was shut down, a patch was applied and internal testing is underway before validators restart the network.
Liquidity pools drained on Osmosis
Early this morning, a vulnerability was discovered on the liquidity pools of the decentralized exchange (DEX) Osmosis (OSMO) which relies on its own dedicated blockchain. The information, first revealed by a user on the Reddit platform (the post has since been deleted), was officially confirmed by Osmosis’ teams on Twitter.
In order to prevent further potential financial damage, the blockchain that supports DEX was shut down at block #4,713,064 according to Mintscan Explorer. However, a malicious user had time to exploit the flaw for their benefit.
According to Osmosis, the amount of the theft would be around $5 million. The thief’s transactions (visible on the block explorer) were finalized 2 blocks before the blockchain was shut down.
According to the latest release from the teams in charge of the protocol, the flaw has been identified and a patch has been applied accordingly. Internal tests are underway to verify if a similar flaw is not exploitable, and restart orders will then be communicated to the network validators in order to resume operations as soon as possible.
However, it is expected that a detailed report will be released in the next few days and a series of in-depth tests will be implemented by the technical teams on the blockchain in order to propose a possible update of the network.
The course of the attack
If the Reddit user who first reported the flaw is to be believed, the flaw was located directly at the liquidity pools themselves. According to his observation, if a DEX user contributed liquidity to a pool, he was able to withdraw an additional 50% of the liquidity, and this without any lock-in period for the funds.
The attacker thus multiplied transactions using this method. However, it could be that he discovered this method by pure chance.
According to the on-chain data, only 26 OSMO tokens (about $30 at the time of the attack) were added to the liquidity pool in the first transaction, which resulted in an initial profit of 13 additional OSMOs upon withdrawal.
The second transaction was much more substantial: the malicious user deposited 101,230 OSMO tokens (more than $116,000 at the time of the attack) into the pool, resulting in a gain of $58,207 in OSMOs.
He repeated the operation in a loop, each time with a larger amount, before transferring part of his tokens to another wallet from which he repeated the operation again. In total, about $5 million was siphoned off through this process.
The price of the OSMO token was impacted to a lesser extent, suffering a loss in value of around 7% over 24 hours. It is currently trading at $1.11, a far cry from its ATH (highest price) of $11.25 reached on March 4, 2022.