Osmosis Chain to remain halted, four of the exploiters have been identified

Hours after the Osmosis Chain was halted to prevent further loss of funds from the newly discovered liquidity pools exploit, the bug was identified and a patch for it was released. Although no detailed technical information about the vulnerability is shared yet, the Osmosis team urged validators to wait further before coordinating a restart of the network, until testing of the upgrade is finished.

Update: The bug has been identified and a patch written.

More testing is underway before validators are recommended to coordinate a restart.

Full bug report and action plan for more thorough and proper end to end testing of chain upgrades to follow in coming days. https://t.co/DjJMOEQxrT
— Osmosis 🧪 (@osmosiszone) June 8, 2022

Hours later, the Osmosis team released an update on Twitter, announcing that four individuals, accounting for 95% of the realized exploit amount, have been identified. Apparently two of them had transactions to or from centralized exchanges, which have already been contacted with the goal of identifying the exploiters and recovering stolen funds. While the remaining two were said to have “proactively expressed intent to return the exploited amount in full”.

Update:

- 4 individuals have been identified that account for 95%+ of realized exploit amount.

- 2 out of the 4 individuals has proactively expressed intent to return the exploited amount in full.
— Osmosis 🧪 (@osmosiszone) June 8, 2022

Around the time of the announcement, FireStake – a professional staking service for delegators of the Cosmos Ecosystem, currently actively validating ten Cosmos chains, admitted two members of its team went on to test if the bug existed, which “grew into a temporary lapse of good judgment” and resulted in $226 converted to around $2 million.

Dear @osmosiszone community, many of you know about the Osmosis LP bug that occurred yesterday.

In disbelief of it being real, two members of @fire_stake started testing to see if the bug existed, testing grew into a temporary lapse in good judgment, and...
— FireStake | Validator (@stake_fire) June 8, 2022

According to FireStake, the exploiters “stressed throughout the night” which led them to start working closely with the Osmosis team on returning the stolen funds, as soon as possible. While admitting the malicious act was seen as honorary by the Osmosis and FireStake communities, many expressed concerns over the trustworthiness of FireStake as a validator service. Some went on to suggest the exploiters admitted their acts due to being caught by the Osmosis team, however that was debunked by Sunny Aggarwal – co-founder of Osmosis, who said FireStake team “stepped forward themselves” in an answer to a community member’s question.

Osmosis’ latest Twitter thread regarding the incident states that it was caused by incorrect calculation of LP shares when adding and removing liquidity from pools. The vulnerability was introduced in the newest Osmosis v9.0 update, released the previous day. While Osmosis developers take full responsibility over the exploit, the team stated that they will be implementing multiple changes to their security protocols in the future.

Thank you for being patient as the core teams have been heads down dealing with the situation.

The following is the latest information related to the bug and subsequent chain halt.
— Osmosis 🧪 (@osmosiszone) June 8, 2022

The Osmosis team once again confirmed they will be reimbursing the $5 million lost in the exploit, and stated their confidence on a high recovery rate from the already identified wallets responsible for the malicious act. The remaining funds are to be collected from the developer treasury, with a more detailed recovery plan to be announced in the near future.

Until version 10.0 of the Osmosis codebase is released, which is to happen following rigorous internal testing, the Osmosis chain will remain halted. The estimated time until the update rolls out is two days, however, the team stated that this timeframe is subject to change.