flipside

    Try Quests to earn cryptoTry Quests to earn crypto
    Share

    Bug Exploiters

    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...
    Loading...

    Introduction

    On June 8th 2022, Osmosis confirmed that some of liquidity pools had been attacked and lost in the size of ~$5M.

    The update reads as follow:

    > > * 4 individuals have been identified that account for 95%+ of realized exploit amount.

    > > * 2 out of the 4 individuals has proactively expressed intent to return the exploited amount in full.

    This dashboard is the report of a data driven investigation of this incident.

    Investigation

    First step: Identifying attackers

    First we look into the activity of wallets during block_id between 4707300 AND 4713064.

    The graph below shows top 25 wallets in terms of number of actions including 'join' and 'exit'.

    The graph below breakdown the data into action categories. We can se that the top actors actually made both deposit and withdrawals.

    In the previous experience of lp's hack on Tinyman we saw that attackers exploited LPs in withdrawals. Therefore they had to first deposit then withdraw the liquidity.
    We see here the same pattern.

    In the list below we can see that among top 10 wallets at least six wallets executed almost the same withdrawal as deposits which is not normal.

    These wallets would be suspected wallets.

    We should revalidate our speculation. The hypothesis is that the attackers is most likely to become active only in the time of attacking not before.

    Therefore we look at the activity of top 10 wallets in a broader time period.

    The graph below shows that some wallets like osmo19l9wsymdh3mp7munzrlk8rs03ttnu2uaujyktu has already executed some actions before the attack. Interestingly these wallets does not have a balance join-exit.

    Filtering out wallets that have been active for a longer time and attacking period and those have not balanced deposit-withdrawals we reach to 6 wallets.

    We can see 5 of them were active between 1:00 and 2.00 June 8th CET.

    Finding what has been stolen

    The next step is to look into the volume of exploits. The graph below shows how assets are exploited by wallets.

    In terms of dollar value we can see that OSMO has the highest volume and then ATOM.

    The graph below shows the distribution of exploits among wallets.

    Finally, we can see what assets have been transferred from the suspected attackers. Only two wallets transferred assets out of OSMOSIS.

    Loading...

    Conclusion

    Our investigation reveals that at least 6 wallets have been involved in the attack.

    They exploited the bug in withdrawal. Therefore to have the exploit done they had to first deposit into pools. All attackers have the equal number of deposit as withdraw.

    Most of them could not transfer the assets out of OSMOSIS. However, some of them made swaps that should be invesitgated.