Bug Exploiters

    On June 8th, a critical bug was found on Osmosis that led to the theft of several million dollars from liquidity pools. The upgrade that contained the exploited bug occurred at block height 4707300, and the chain was halted at block 4713064.In this presentation I analyze What is the list of addresses that were explicitly exploiting the bug by doing multiple join/exits, i.e. who were the attackers? What was the total dollar amount that was taken by the attackers? What amount of stolen assets in the attackers’ wallets remain on Osmosis?

    Loading...
    Loading...

    Methodology

    • Join Addresses -> LIQUIDITY_PROVIDER_ADDRESS Table -> where action = 'pool_joined' & tx_status = 'SUCCEEDED' & BLOCK_ID BETWEEN 4707300 and 4713064

    • Exits Addresses -> LIQUIDITY_PROVIDER_ADDRESS Table -> where action = 'Pool_exited' & tx_status = 'SUCCEEDED' & BLOCK_ID BETWEEN 4707300 and 4713064

    • Then joined to osmosis.core.dim_labels to find Tokens.

    • I find from LIQUIDITY_PROVIDER_ADDRESS , table the dollar amount and assets left at the addresses

    Analysis results

    • I will get the number of join/exits of each Address on June 7th and 8th.

    • Identify attackers.

    • The amount of assets taken by the attackers.

    Loading...
    Loading...

    Identify attackers

    The chart and query above show the list of addresses that have multiple join / exits June 7 and 8, 2022. According to the observations:

    • The address with the highest number of join / exits is isosmo18qx59wy8s3ytax3e0akna934e86mw776vlzjtq with 147 joined and 146 exited
    • There are about 5 addresses that have the same number of join / exits

    Total dollar amount that was taken by the attackers is 14,452,678.72 USD.

    The chart above shows total dollar assets that was taken by the attackers.Most activities occurred from 00:00 until 02:00 AM. Nearly 16M dollars added at 1:00 AM on 8 June.

    The chart above shows Total amount of stolen assets in the attackers’ wallets remain on Osmosis.As you can see from a wallet remained, about 2.7M Osmosis, 9 BTC, 416K Cosmos(In the previous table, we have seen that about 316K transferred, So the current Cosmos balance is about 99K), and 192 Wrapped Ether. Also, the other wallet still has 172K Osmosis in its Osmo Wallet.

    Conclusion

    • The attackers address wallets : isosmo18qx59wy8s3ytax3e0akna934e86mw776vlzjtq
    • There are about 5 addresses that have the same number of join / exits
    • Total dollar amount that was taken by the attackers is 14,452,678.72 USD.
    • Total amount of stolen assets in the attackers’ wallets remain on Osmosis is 172K Osmosis
    Loading...