Cody McGrath 
Attackers took advantage of a bug in the Osmosis exchange to steal $5 million.
Osmosis, a decentralized exchange built on the Cosmos network, was shut down just before 3 a.m. ET on June 8 after attackers stole $5 million by exploiting a liquidity provider (LP) bug.
The bug was first identified in a Reddit post on the official Cosmos Network page. Straight-Hat3855 alerted the community to a “serious problem” with Osmosis (OSMO), which allowed users to arbitrarily grow LPs by 50% simply by adding and removing liquidity. The Reddit post was quickly removed, but not before malicious actors exploited the bug, causing $5 million to be removed from liquidity pools on the Osmosis exchange.
According to an announcement from Osmosis block explorer Mintscan, the Osmosis exchange was halted at a block height of 4,713,064, following the exploit and identification of the LP bug.
Project moderator RoboMcGobo detailed how the bug worked in a series of posts on the Osmosis Discord, detailing how the flaw allowed attackers to add liquidity to any Osmosis LP and then immediately withdraw it for a 150 percent return on their initial deposit: “Essentially, the function would give 50% too many LP shares for a join,” RoboMcGobo wrote shortly after 4 p.m. on Wednesday, adding, “If one should have received 10 LP shares, 15 would be achieved out.”
According to RoboMcGobo, the bug was “exploited intentionally by a small number of users” and “apparently unintentionally by a few others.”
According to an Osmosis Twitter thread, four attackers were responsible for 95% of the total amount exploited, with two of the attackers voluntarily stepping forward to return stolen funds.
Approximately one hour after Osmosis’ tweet about the attack, FireStake, a validator in the Cosmos ecosystem, posted a Twitter thread admitting that “a temporary lapse in good judgment” resulted in two members of its team exploiting the bug to the tune of $2 million.
When Firestake continued to exploit the bug, they told their 1,700 Twitter followers that they were “thinking about [their] family’s future.” They decided to voluntarily return the funds and “set things straight” after admitting to “stressing through the night” about the event.
The other two hackers responsible for the theft, according to Osmosis co-founder Sunny Aggarwal, made a series of transactions to centralized exchanges, which Aggarwal believes will make it easier to track them down.
In the project’s Discord, RoboMcGobo said, “Funds have been linked to CEX accounts.” The authorities have been notified… We’re hoping that the exploiters will do the right thing here and that no aggressive action is required.”