Full Report
Osmosis Zone is a decentralized exchange built in the Cosmos ecosystem. A reddit user made a comment that a bug in the liquidity pool allowed a gain of 50% for simply adding and removing liquidity from the pool. Naturally, people did not take the person seriously... until they tried it. This was taken advantage of to still money instantly. Eventually, this led to a stoppage of the blockchain to allow for a fix before it was too late. How easy was this exploit? Put money in, take it out... do it again. Eventually, the various hackers stole 5M from the dex, prior to the stoppage. It's pretty clear looking at transactions that money is simply being duplicated. Overall, a really simple vulnerability that is unreal it wasn't found during testing. To me, taking out when you put in seems like a pretty sane thing to test.
Analysis Summary
# Incident Report: Osmosis DEX Liquidity LP Logic Flaw
## Executive Summary
A critical logic vulnerability in the Osmosis decentralized exchange allowed users to artificially inflate their holdings by 50% simply by adding and removing liquidity from pools. The exploit was publicly disclosed on Reddit, leading to widespread opportunistic exploitation that resulted in approximately $5M USD in losses. The incident necessitated a complete emergency halt of the Osmosis blockchain to prevent total liquidity drainage.
## Incident Details
- **Discovery Date:** June 8, 2022
- **Incident Date:** June 8, 2022
- **Affected Organization:** Osmosis Zone
- **Sector:** Decentralized Finance (DeFi) / Web3
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** June 8, 2022
- **Vector:** Publicly disclosed smart contract logic flaw.
- **Details:** A Reddit user posted on r/CosmosNetwork and r/OsmosisLab describing a bug where withdrawing liquidity from a pool returned 50% more than what was deposited.
### Lateral Movement
- **N/A:** As a smart contract exploit, the attack did not involve traditional network lateral movement. Instead, multiple independent actors "chained" the exploit by repeatedly depositing and withdrawing funds to exponentially increase their holdings.
### Data Exfiltration/Impact
- **Details:** Approximately $5M in crypto assets were drained from liquidity pools by various users/hackers prior to the network shutdown.
### Detection & Response
- **Detection:** Community monitoring of social media (Reddit) and on-chain transaction observation showing "money duplication."
- **Response Actions:** Osmosis developers and validators coordinated an emergency shutdown of the entire Cosmos-based blockchain to freeze transactions and prevent further drainage.
## Attack Methodology
- **Initial Access:** Exploitation of a logic error in the liquidity provider (LP) smart contract code.
- **Persistence:** Not applicable; transaction-based.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Not applicable; transactions were public on the ledger.
- **Credential Access:** Not applicable.
- **Discovery:** Exploitation of a flaw that should have been identified during unit testing of the deposit/withdrawal functions.
- **Lateral Movement:** Not applicable.
- **Collection:** Automated or manual repetition of the Deposit -> Withdraw cycle.
- **Exfiltration:** Transferring duplicated tokens out of the Osmosis ecosystem (where possible) or swapping for other assets.
- **Impact:** Financial loss and total operational shutdown of the DEX.
## Impact Assessment
- **Financial:** Estimated $5M USD loss from liquidity pools.
- **Data Breach:** No private data breached; all transactions are public.
- **Operational:** Total stoppage of the Osmosis blockchain for several days to implement a fix.
- **Reputational:** High; public perception was damaged due to the "simplicity" of the vulnerability.
## Indicators of Compromise
- **Behavioral indicators:** Large-scale "AddLiquidity" followed immediately by "RemoveLiquidity" transactions resulting in a 1.5x balance increase in a single block or short time frame.
- **Network indicators:** N/A (Blockchain-native).
## Response Actions
- **Containment:** Validators were instructed to stop their nodes, effectively halting the blockchain.
- **Eradication:** Developers identified the faulty logic in the code responsible for calculating LP share values.
- **Recovery:** Implementation of a software upgrade (patch) followed by a coordinated restart of the validator set.
## Lessons Learned
- **Testing Gaps:** The flaw involved a fundamental "round-trip" (putting money in and taking it out), indicating a failure in basic integration and unit testing.
- **Social Media Risk:** Publicly disclosing a live vulnerability on Reddit (vulnerability "full disclosure") before a patch is ready accelerates exploitation.
- **Emergency Protocols:** The ability to halt the chain prevented a total loss of the $200M+ TVL (Total Value Locked) at the time.
## Recommendations
- **Rigorous Unit Testing:** Ensure that all mathematical functions related to share calculations are tested for "equal-in-equal-out" parity.
- **Bug Bounty Program:** Incentivize researchers to report flaws privately via platforms like Immunefi rather than posting on Reddit.
- **Circuit Breakers:** Implement automated smart contract "circuit breakers" that can pause specific pools if anomalous withdrawal volumes are detected.