Exploit confirmed for Osmosis.
A short time ago, the Osmosis chain was halted via co-ordination of the validator set. It seems that the team and validators became aware of an exploit underway, that was draining liquidity from the protocol. What is known so far is that some funds have been taken from the liquidity pools. It seems at this stage that it is a portion of funds, however the size is not clear yet.
The most recent announcement in the Osmosis Discord server clarifies what is going on, after rumor and speculation have been swirling around:
There is a lot of misinformation swirling around right now on twitter and other platforms, so I wanted to set the record straight on a few things.
Yes, there was an exploit of a bug that resulted in a loss of funds in some of the Osmosis liquidity pools. At this time, we don't know the exact scale of the funds that were removed from the protocol, but all of the protocol's liquidity has NOT been drained as some are claiming. After we discovered the issue, the validators were able to respond and coordinate a an emergency halt within 12 minutes.
The focus now is to squash the bug, test a new patch extensively, and coordinate a restart of the chain. I know this is stressful for a lot of you, but please bear with us while we fix this issue and get more information on the extent of this event.
I cannot speculate on the cause of the bug, an ETA on the chain restart, or the pools that were impacted because we simply don't know yet. When I get more information I will be sure to update you. Thank you again for your patience on this.
Quote from "RoboMcGobo" in the announcement channel of Osmosis discord.
So what happened?
It seems that someone discovered an error which allowed them to exploit over time and remove funds from the pool. It seems that they discovered that if you added liquidity, and then removed it out again almost immediately, they received back more than they started with. Repeat this process over and over, and profit significantly.
From my understanding, a user discovered that this was going on, and first posted it on Reddit in this post. Initially, the comment was met with disbelief, until other users attempted to do the same and found it worked. The thread and comments in it around the process where deleted, to prevent further funds loss.
It seems that once the team and validators became aware of the issue, with a matter of 12 minutes the chain was halted. The fast response likely saved significant funds.
While it is too early to speculate how much has been lost, it appears to be in the millions. With a TVL around $200 million, it is likely to hurt, but not be a fatal blow. What impact it will have on confidence in an already wounded AMM thanks to the impacts of the LUNA collapse
This Twitter thread by Junonaut gives probably the clearest summary of the situation I have seen so far.
What have you heard? Do you have any more info?
I'll update the post once more details are available.
For know, we know the chain is halted, some funds are lost, and the Dev's are working on it.
Stay safe everyone.
JK.
Posted Using LeoFinance Beta