Osmosis blockchain, which hosts a decentralized cryptocurrency exchange (DEX) in Cosmos cross-chain ecosystem, was halted as community activists unveiled a critical vulnerability.
Osmosis DEX bug alllowed to withdraw deposits with 3x premium
Today, June 8, 2022, crypto enthusiasts from the official Reddit community of an Osmosis blockchain identified a critical vulnerability. Some of them managed to deposit $5 and withdraw $15 immediately.
A critical bug has been found on $OSMO / @OsmosisZone which could have potentially drained all liquidity pools.— Junønaut (@TheJunonaut) June 8, 2022
It has been discovered after a post on the subreddits /r/CosmosNetwork and /r/OsmosisLab.
The chain was halted under immediate emergency to avoid further damage.
At around 3:00 p.m. UTC, users started to explore this bug en masse. Namely, the USDC-OSMO pool was affected. An initial estimation suggests that losses exceed $2.5 million before the network's team decided to halt the blockchain.
All operations were stopped at block #4713064 "for emergency maintenance." Most likely, the vulnerability occured in the v9 Nitrogen upgrade of Osmosis DEX codebase.
At 7:00 a.m. UTC, the team of the network confirmed that the attack occurred and unveiled that the protocol has been drained for almost $5 million. The attackers thus failed to siphon all liquidity from Osmosis DEX pools.
Patch released, new system testing underway
Just an hour ago, the protocol's team announced that the bug is fully identified and an emergency patch has been written. However, the exact timeline of network recovery is yet to be unveiled.
By press time, the team started closed testing of the blockchain; validators should be ready for the announcement of a restart coordination plan.
As estimated by the team, this may take a couple of days.
Decentralized cryptocurrency exchange Osmosis (OSMO) is one of the first mainstream projects of the Cosmos Hub. It was launched in mainnet in mid-February 2021; its team also pioneered "superliquid staking" concept.