Cosmos Ecosystem

Cosmos is an ever-expanding ecosystem of interoperable and sovereign blockchain apps and services, built for a decentralized future. Chains built with the Cosmos SDK have access to IBC: "Inter-Blockchain Communication" which enables chains and apps to easily interact with each other.

Osmosis

Osmosis is a blockchain that is built on the Cosmos SDK. Its main purpose is to operate a decentralized exchange (DEX) that has a considerable amount of trade volume of different IBC capable assets.

Nitrogen Upgrade

On the first of june a governance proposal was made to apply a software upgrade to the network, the nitrogen upgrade.

It was accepted and the upgrade was scheduled for block 4707300. Amongst all sorts of improvements and protocol upgrades this updated made changes to the GAMM API. GAMM tokens are a way for Osmosis to represent liquidity pool shares. When depositing liquidity into a LP (liquidity pool) you will receive GAMM tokens in return. You can then at a later point redeem those GAMM tokens to get the pool share you put in before back.

The Exploit

A simple programming error was overlooked and made it so that you would gain 50% too many GAMM tokens (LP shares) when depositing funds into a LP. So if one should have had gotten 10 LP shares, 15 would be achieved out. Handing those GAMM tokens in for assets you will also gain 50% more than you put in. The was exploited intentionally by a small number of individuals and seemingly unintentionally by a few others.

Emergency Chain Halt

Shortly after the exploit was publicly shared the osmosis validators did halt their nodes to prevent further damage. The chain halt did happen on block 4713064.

In the following we will be looking at how big of an impact the exploit really had.

Methods

• DIM_LABELS for IBC <-> Symbol Mapping
• DIM_PRICES for Symbol <-> Price Mapping
  • For all USD values below the average price between block 4707300, 4713064 is used
• FACT_LIQUIDITY_PROVIDER_ACTIONS for IBC, amounts, pools and addresses
• 50% of deposits are considered as stolen due to the nature of the exploit
  • No matter if it was withdrawn during the exploit or after the chain restart, the same amount of "profit" has been made and will not be undone

Lets start with an overview, how many assets in terms of USD have been moved and stolen:

We can confirm the ~$5M that has been estimated to be the stolen amount.

Lets put those values into context, has there been an unusually high volume of liquidity movement while the exploit was usable?

We are only looking at OSMO volume here for simplicity, it is by far the most used assets as all liquidity pools in Osmosis usually use OSMO for one side

Findings

• There is a clear spike in liquidity volume while the LPs were exploitable
• A lot higher than the baseline but comparable to other spikes in May 2022
  • The deposit volume is a new per day high, the withdraw volume on place 2

Breakdown Of Assets Remaining vs Taken Out

How much of the profit that exploiters made depositing funds into liquidity pool has already been withdrawn? How much is left?

Findings

• The most "stolen from" pools are 1. ATOM, 2. axlUSDC, 3. axlWBTC, 4. axlWETH

This is only about the amount of asset, so it is of little use. As expected you see BTC being very low compared to USDC very high.

Lets add the price to the picture:

Breakdown Per Address

Findings

• 90% of assets were stolen by just 2 addresses!
• 95% of assets were stolen by just 4 addresses!

Fun Fact

The address with the second most stolen funds (osmo1hq8tlgq0kqz9e56532zghdhz7g8gtjymdltqer) actually belongs to FireStake, a Osmosis validator. They did admit their actions and will return the funds though.

• As you might expect the same addresses that make up most of the stolen volume also make up a large portion of the number of deposits.
• It is clear that many other liquidity providers are using the chain and intentionally or unintentionally profited from this exploit

Full List of Results For Reference

Concluding

• While this this bug was exploited by many users (intentional or not) only 4 addresses made a considerable amount of profit off of it
• The total value of stolen assets is around $5M, but $2M will be returned => $3M of damage

Findings

• Most of the stolen funds have already left the liquidity pools (96.4%)
  • For repeating the exploit you got to remove the funds so this makes sense

Breakdown Per Asset

OSMO has the largest volume as it is used in all pools, all values but OSMO are directly comparable as they represent one pool only. Therefore OSMO will not be mentioned in the following sections.