Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Developers and network participants took a blockchain offline on Tuesday night, making the “decentralized” cryptocurrency exchange running on top of it inoperable, after a bug let a hacker steal around $5 million.
A few hours earlier, a Reddit user called Straight-Hat3855 warned of the existence of the flaw on the Osmosis blockchain in a post on the subreddit of Cosmos Network, the ecosystem that hosts the vulnerable blockchain. The primary function of the Osmosis chain is to run its decentralized crypto exchange, which is an exchange that uses smart contracts and algorithms to enable token swaps and set prices.
“There is a serious problem with osmosis. If you add liquidity to a pool and then remove it, it grows by 50%! How can we fix this!?!?” Straight-Hat3855 wrote in a now-deleted post.
“The Osmosis chain has been halted for emergency maintenance,” a Discord moderator for the project announced at 10:57 p.m. EST. “This will take some time to resolve, and we don’t expect the chain to be live again for a few hours at least. During this time, you will not be able to interact with the DEX or with your Osmosis wallet.” According to a later post by the moderator, blockchain validators—users who have “staked” tokens to become miners—coordinated the “emergency halt” in 12 minutes after discovering the issue.
On Twitter, the Osmosis Twitter account announced “devs are fixing the bug.” Roughly six hours later, Osmosis publicly announced on its official Twitter account that the bug was identified and patched. The project estimated that the losses were around $5 million, but that it was “working on recovery.”
“More testing is underway before validators are recommended to coordinate a restart,” the project wrote.
Do you have information about other crypto hacks? Do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email [email protected]
Osmosis did not respond to a request for comment sent via Twitter DM.
The hack comes just days after hackers stole around $113 million from another decentralized exchange (DEX) called Maiar. In that case, the developers also took the exchange offline to deal with the hack, and later claimed that they were able to patch the bug and recover the stolen funds.
While $5 million is not a high amount given the severity of other crypto hacks, it shows once again that a lot of crypto projects run on highly vulnerable code that hackers are quick to exploit, causing serious damage. In the first three months of this year, hackers and scammers have stolen around $1.6 billion in crypto, according to blockchain cybersecurity company CertiK.