FireStake validators acknowledge that they were involved in the Osmosis exchange bug which has resulted in $5M in attack.
Osmosis was a decentralized Exchange (DEX) that was built on the Cosmos network. It was stopped just before 3:00 EST Wednesday morning after hackers exploited a liquidity provider bug (LP) to the tune of approximately $5 million.
This bug was first reported by Straight-Hat3855 in a Reddit posting on the official Cosmos network page. Straight-Hat3855 brought to our attention a “serious issue” in Osmosis. This bug allowed users to arbitrarily increase LPs by as much as 50% by simply adding or removing liquidity. Although the Reddit post was removed quickly, malicious actors exploited the bug to remove approximately $5 million from Osmosis’ liquidity pools.
The exploit and identification of the LP bugs resulted in the Osmosis exchange being halted at a block height according to Mintscan, Osmosis block explorer.
RoboMcGobo explained the bug in a series post in the Osmosis discord. He said that the flaw allowed attackers add liquidity to any Osmosis LP, and then withdraw it immediately for a 150% return.
RoboMcGobo stated that the bug was exploited intentionally by a handful of users and seemingly unintentionally, by a few other people. Two of these attackers have voluntarily offered to return the stolen funds.
FireStake, a Cosmos ecosystem validator, published a Twitter thread announcing that two of its members had exploited the bug for approximately $2 million. It posted it just one hour after Osmosis tweeted about the attack.
Firestake stated to their 1,700 followers on Twitter that they were thinking about the future of their family when they exploited the bug. After admitting that they had been “stressing throughout the night” over the event, Firestake decided to return the funds and “set the record straight.”
According to Sunny Aggarwal (Osmosis cofounder), the two other hackers involved in the theft made transactions to central exchanges. Aggarwal believes this will make it easier for them to be tracked down.
RoboMcGobo repeated Aggarwal’s comments in the Discord project: “Funds have also been linked to CEX accounts.” We have notified law enforcement… we are hopeful that the exploiters will do right here so that aggressive actions will not be required.”