Try Quests to earn cryptoIntroduction
On June 8th, a critical bug was found on Osmosis that led to the theft of several million dollars from liquidity pools. Following this exploitation attack, the developers of Osmosis stopped network operations to prevent further damage. The Osmosis development team tweeted after discovering the security vulnerability:
Methodology
The upgrade that contained the exploited bug occurred at block height 4707300, and the chain was halted at block 4713064. Of those who took advantage of the exploit, 4 entities are responsible for over95% of the realized exploit amount.
In this dashboard, we examine the behavior of these 4 exploiters.
But what bug did exploiters use?
If a user provided liquidity to Osmosis pools, that user could withdraw their deposit with a 50% interest rate without going through any bonding period.
In an effort to help provide the Osmosis team with important data, we’ve curated these flash bounties to surface metrics that the team has requested.
The chart below shows the amount of OSMO drained by exploiters.
In the following, the actions of each of these exploiters will be examined.
-
exploiter #1 pulled the most OSMO out of the pools.
-
This address drained a total of 1.345M OSMO from the pools.
-
The maximum amount of OSMO that came out of the pools by this address is on Jun 8, 2022 and at 02:29:27. (198.477k OSMO)
-
For the first time in this period, on June 8, 2022, at 01:09:10, 514 OSMOs were drained from the pools.
exploiter No. 2 gradually added OSMO to the pool several times and then withdrew the deposit, with the addition of interest, and continued this process until it finally drained more than 600k OSMO from the pool.
Similarly, the behavior of exploiter number 2 was repeated by exploiters number 3 and 4. Currently, the dollar price of OSMOs taken out of the pools by the desired addresses is equal to:
Examining the wallets of these addresses, we see that the value of the assets is insignificant in other wallets, except for exploiter number 1.