Osmosis, a decentralized exchange built using CosmosSDK, has been exploited, draining its liquidity pools for approximately $5 million.
Developers have halted the Osmosis blockchain to prevent further damage.
The decentralized exchange was stopped at roughly 10:49 pm EST today at a block height of 4,713,064, according to an announcement from Mintscan, an Osmosis block explorer.
The exploit happened just two blocks before the halt.
“Liquidity pools were NOT completely drained,” tweeted the team after discovering the exploit. “Devs are fixing the bug, scoping the size of losses (likely in the range of ~$5M), and working on recovery.”
A user on Reddit warned the Osmosis developers about the critical bug in their decentralized exchange. The Reddit thread was later removed by the Osmosis moderator.
According to the user, if you provide liquidity to liquidity pools, you would then be able to withdraw 50% more than your deposit without any bonding period (a period over which the funds are locked).
On-chain transactions show how one user repeatedly exploited this precise bug.
They began the exploit with just 26 OSMO tokens and made 13 more OSMO tokens in their first transaction.
One instance shows how they were able to provide liquidity of 101,230 OSMO (the native token of Osmosis) in a transaction made six hours ago.
A picture of a crypto transaction on Osmosis.
Transaction showing user adding liquidity. Source: Mintscan.
Then, just 30 seconds later, the exploiter exited their position with 151,084 OSMO tokens, pocketing 50% profit.
A crypto transaction made on Osmosis.
Transaction showing user removing liquidity. Source: Mintscan.
They then repeated this process at least 30 times, each time increasing his holdings by 50%.
The wallet raked in roughly 70,000 of Cosmos' native ATOM tokens out of the process (by swapping OSMO to ATOM), which is valued at approximately $600,000. They also transferred some of their OSMO profits to another address to repeat the same process.
The user repeated the process with numerous accounts. All told, the attacker made roughly $5 million from this bug.