Osmosis DEX exploited for $5m due to a critical bug

The bug allowed users to receive back 50% more tokens than initially deposited when they instantly withdrew liquidity after adding it to the pool.

A stock image showing hacking in progress.

The bug was discovered after a post on the subreddits /r/CosmosNetwork and /r/OsmosisLab by the community member dubbed “Straight-Hat3855.” Initially, other Redditors doubted the claim but quickly found out that the exploit was real after depositing and withdrawing funds.

Just twelve minutes after the post by Straight-Hat3855, Osmosis blockchain validators coordinated the emergency halt to prevent draining the exchange’s entire liquidity. However, some users managed to take unfair advantage of the bug, draining about $5 million of the exchange’s $212.77 million in total value locked. One address has repeatedly executed for more than 30 minutes, withdrawing 75k of ATOM tokens from Osmosis.

In an update posted to Twitter, the official Osmosis account wrote that liquidity pools were not “completely drained.” At the same time, it assured that “devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery.”

“The bug has been identified and a patch written,” Osmosis added later, explaining that more testing is underway before the blockchain will be restarted. It also mentioned that a full bug report and action plan would be coming soon.

Osmosis is a decentralized peer-to-peer PoS blockchain hosting its own like-named decentralized exchange. Osmosis is a part of the Cosmos (ATOM) ecosystem, being its second-largest blockchain in terms of TVL. Following the news on the exploit, the OSMO token has lost 15%, dropping from $1.24 to $1.06 at the time of writing.