Introduction

Osmosis is a fast-moving chain in terms of development, with fast development and deployment you usually get cool things faster but what you also get is bugs and bugs that can be exploited! In this case, the chain was halted to stop the exploit from continuing on, but significant damage was done already. In this investigation we'll look at what exactly happened, how much of what did attackers take, look at specifically the sophisticated attackers that knew exactly what they were doing and see if any of the funds are still left on the chain or have already been moved outside and speculate on whether or not they've been realized into profits.

As we can see, it captures about ~94.2% of the $ exploited, or more specifically ~94.214% which is not bad and it helps filter out normal users such that the graphs are easily decipherable and do not take too long to load...

Total amount taken by denominated token

Let's now look at the total value exploited per denominated token, under the assumption that the successful exploiters are between -3 < diff(entries-exits) < 3.

Exploiters vs Normal people

What we expect to see is people going in the same amount of times they're going out, but it could be that these wallets came out and in but were originally in. Here we see the differences in actions per wallet. Negative values indicate transaction count of wallet exiting pools more than joining, whereas Positive values indicate transaction count of wallet joining pools more than exiting. What we expect to see here is that the neutral values that are between -3 <= diff(entries-exits) <= 3 (assumption) are the successful bug exploiters that understood the bug well and exploited it successfully.

What we can see is that the majority of wallets have more LP entries than exits, which is normal user behaviour, with a few wallets having a lot more entries than exits. On the other hand side, we have the users that have more exits than entries with only 1-2 that have a lot more exits than entries.

For this investigation what I will be focusing on, and what I find interesting, is the users that have between -3 < diff(entries-exits) < 3, which, at least to me, would indicate that they knew how to exploit the bug expertly.

Let's look at these wallets...

It seems that the majority of coins at least in their denominated value were taken by the top 2 wallets that exploited the bug. Namely osmo18qx59wy8s3ytax3e0akna934e86mw776vlzjtq and osmo1hq8tlgq0kqz9e56532zghdhz7g8gtjymdltqer. Also, it seems that the majority of tokens that got exploited were OSMO, axlUSDC and ATOM. OSMO, ATOM and axlUSDC denominated pairs have probably the highest liquidity so it makes sense as to why the user chose to go for these three tokens and their paired counterparts.

What we can see is that the majority of the exploited value came from exiting the LP pairs with OSMO, ATOM, axlUSDC and axlWETH. As expected at least for OSMO, ATOM and axlUSDC pairs would have the highest liquidity. But instead of just speculating on this, let's look at which Pools were exploited specifically.

That's significant when you take into account the network revenue in total (at least from when the chain was backfilled), which is very low in comparison (see below).

NOTE: The approximate total value lost is the whole value and not the value that's only between -3 <= diff(entries-exits) <= 3.

In fact, it would take them ~53.4x the amount of revenue accrued so far just to make the pools whole again. Given that Osmosis is still a (relatively) new project (Osmosis Launch late 2021) and that like described earlier has a very fast pace in terms of development, it is expected that, when proper measures for testing are more strictly implemented, more users will onboard themselves onto the network. For users that are both Whales and regular retail users, this should help with the net revenue and should (over time) help cover this exploit. I am sure that the team currently is in talks about how to make the pools whole again, reaching out to VCs and big whales. I just hope that they do not allocate/mint the equivalent amount of OSMO to receive the equivalent amount in USD to make this work, as this would decrease retail user confidence in the project and create massive sell pressure.

NOTE: The approximate, average price for each OSMO was calculated using data from coingecko.

What we can see here is that the ATOM/OSMO, axlUSDC/OSMO, axlWBTC/OSMO and axlWETH/OSMO were the pools most exploited. There are also some interesting tools such as LUNC/OSMO, axlUSDC/XPRT which I had to dig into individual transactions to find the second token in the pair and label correctly. What's interesting about them, is that I was not able to find them listed in either Osmosis Zone or Frontier Osmosis Zone.

Total amount $ taken by denominated token

Let's now look at the total $ exploited and then the total $ per denominated token, under the assumption that the successful exploiters are between -3 < diff(entries-exits) < 3.

Exploiter Definition

First and foremost let's look at what % does my definition of -3 < diff(entries-exits) < 3 capture compared to the total amount?

Where did the assets go??

Looking at the top 10 wallets and ibc_transfers_out we can see that most of the funds left the system.

It seems that the majority of assets have left the system, also what we can see is other than 2 of the 10 wallets had exploited a lot more than one token pair.

Next steps?

It seems that the team has already put out a statement

From what it seems they were pretty quick, relatively speaking, to come up with a patch and they are letting the code is law mentality continue, by not reversing the transactions to before the hack that would break ownership immutability. There is also a community pool from which the team will use the funds to recover the liquidity in some or all of these pairs.

Now even though that is good news, they still need to address the elephant in the room, which is that the only reason why they were able to reach such a quick consensus in halting the chain is that the chain itself is very much still centralized, which to some, like me seems a bit concenring.