Osmosis June 8th Exploit Analysis

On June 7, someone posted a Reddit thread that was later deleted by the forum’s moderator. The thread contained a serious claim — the Osmosis network had a bug that allowed liquidity providers to earn an extra 50% when adding and withdrawing liquidity.

Before all the pools were drained, the Osmosis team identified the bug and halted the chain. In this analysis, let’s see who exploited this bug and how much they got away with. But before that let’s chat about the methodology I used to identify these exploiters.

# Methodology

1. All the data was obtained after the block 4707300 where the Osmosis upgrade occurred which introduced this bug.
2. I looked at pool join transactions immediately followed by a pool exit transaction.
3. Additionally, both the pool join and exit transactions needed to have the same amount of GAMM/LP tokens for the same pool.

# Observations

## Timeline

- For these first set of charts, I grouped the data into ten-minute intervals so that we could easily see how fast things were moving.
- The times in the charts below are based on UTC time.
- Note: The timeline doesn’t show empty intervals where no transactions happened. Therefore you’ll see timeline entries jump around by few hours sometimes.

• We can see that from start to finish the bug exploitation happened for around 8 hours starting at 16:40 on June 7th and ending around 02:40 on June 8th.
• In the first instance of the exploitation (at 6/7/22 16:40), attacker osmo1z98eg2ztdp2glyla62629nrlvczg8s7f8sgpm5 entered the pools with $11 and exited with $17 netting a ~$6 profit. This was done using the BOOT/OSMO pool.
• From there, for the next 3 hours there were no exploit transactions.
• At 6/7/22 19:30, we see another instance of exploit with similar amount ($10 entry and $15 exit). This time a second attacker osmo1d8etkcl43lp9nhdsflmm9y3krl7dutwj2493rh uses the JUNO/OSMO pool.
• At 6/7/22 19:40, a third attacker osmo10t26acjmemggsahq6uvyucm4tj3z0mhz23ljh2 joins the gang and goes for the holy grail of the pools! The WBTC / OSMO pool. The attacker enters with ~$1610 and exits with ~$2413 netting a profit of $804!
• osmo10t26acjmemggsahq6uvyucm4tj3z0mhz23ljh2 loves the OSMO / axlWBTC pools and continues to exploit them multiple times.
• From here on, things are quiet down for about 4 hours until 6/8/22 1:00. That’s when all hell breaks loose and the amounts increase exponentially.
• For the next two hours, we see multiple transactions happening per pool and the amount entering and leaving pools reaching as high as $3M!

• Looking on a timeline, we see the BTC pool was exploited first and towards the end of the exploit, the ATOM and USDC pools start getting exploited in many more transactions.

• The number of exploiters for the USDC pool were the largest compared to ATOM and BTC.

• Surprisingly, even through the BTC pool had a lot of exploit transactions, the ATOM and USDC pools had much larger $USD amount withdrawn.

You can see all the transactions I identified as part of this exploit in this table.

## Attacker details

• The top 2 exploiters made a profit of more than $1M each.
• The top exploiter made a profit of about $3M.
• Some of the smaller amount wallets identified might have accidentally exited the pool while the bug was active and are likely not exploiters.

• We can see that almost all of the exploiters were pretty quick to exit the pools.
• Out of the 18 identified wallets, 17 exited pools in less than 4 minutes.
• 9 wallets with more than 5 exit transactions exited the pools in around 1 minute (60–70s).

## Top 3 LP Exploiters

Using these next charts, we can see the top 3 LP exploiters and how their token amounts grew over time.

• Our top exploiter here starting with exploiting the WBTC pool and then moved on to the ETH pool.
• Once they were done with those pools, they ended with the ATOM pool.
• Notice that the amount of tokens don’t show a linear increase which is because this exploiter was selling some of the tokens along the way and entering the pool with the remaining tokens.
• This exploiter started with 0.02 BTC and 12 ETH and grew them to 2.49 BTC and 65.48 ETH along the way!
• This exploiter was active for about 90 minutes.

• Our #2 ranked exploiter focused only on the USDC pool and didn’t swap any tokens along the way.
• This exploiter grew ~45 USDC to 705K USDC!

• Our #3 ranked exploiter focused on the WBTC pool and grew 0.04 BTC to 2.25!
• This was one of the early exploiters transacting for about 22 minutes on June 7th between 19:47 and 20:09.

## Token & Pool Analysis

Looking at the token amounts withdrawn:

• OSMO is the leading token with about $2.3M withdrawn.
• ATOM is the #2 token with about $1.2M withdrawn.
• Next we have USDC, WBTC and WETH also showing significant amounts that were withdrawn.

• Looking at the per pool amounts we see the ATOM / OSMO pool generated the most profit followed by the USDC / OSMO pools.

• Overall, the BTC pool was exploited most number of times following by ATOM and USDC pools.
• Even though BTC pool had most exit transactions, the overall profit for this pool only ranks it at #3 in the above chart.

• A madlad osmo1jfxcl8ja3nnfjduqemptknz2j6nk6502zp3rte even exploited the LUNC (LUNA1) pool 15 times netting $600 profit! 😅

# Conclusion

Normally, hacks have require sophisticated techniques and a deeper understanding of the system. This one was different and could have been exploited by anybody with the simple tools available to any liquidity provider. From the on-chain data, it’s fascinating to see how quickly ~45 USDC could turn into 705K USDC (in about 20 minutes!), so its no surprise that the chain needed to be halted to prevent further damage!

# Appendix

All data was queried through Flipside Crypto