After yesterday’s drain attack, the Osmosis team published an update thread on Twitter stating that all the losses will be compensated. The team took full responsibility for the attack and said that the new update would take at least two days to release due to detailed testing.
On June 8, four attackers took advantage of the recent Osmosis update’s bug and drained about $5 million from the liquidity pools. The Osmosis team identified the individuals a few hours after the attack.
Last situation update
While the team was working on restarting the system, it released an update thread on Twitter. As of the time of writing, this is the last update that came from the team.
The team mentioned the recovery of the stolen funds, the reason behind the bug in the system, and the timeline for the next update.
Stolen funds will be returned
While withholding the details on how the team said the project would cover the losses.
All losses will be covered.
This is happening through a combination of efforts to maximize recovery of exploited funds and a commitment to backstop any unrecovered funds from the developer treasury.
More information on specific recovery plan will be available in the future.
— Osmosis (@osmosiszone) June 8, 2022
A few hours before the latest update thread, the team said two of the four exploiters came forward and agreed to return the stolen funds. However, in the last update thread, the team is less reassuring about the attackers’ intents.
Instead of referring to the two attackers who claimed they would return the stolen funds, the team just said:
“A small number of wallets were responsible for the majority of exploited funds, and we are confident that we will have a high recovery rate from these wallets.”
The team takes full responsibility
The Osmosis team released an update to the network, Osmosis v9.0, on June 8, 2022. It took only a few hours for the attackers to recognize a bug in the new update and exploit it.
According to their Tweets, the Osmosis team took full responsibility for the attack because the exploited bug resulted from an obvious mistake.
They admitted that the bug was simple and should have been noticed and fixed during the testing. Mentioning:
“It was painfully overlooked in internal testing that was focused on more advanced functionality related to the upgrade.”
The future update
Osmosis learned from its mistakes and said it’ll be taking its time with the next update to ensure such an attack never happens again.
The team said they identified the reason behind the bug and are working on it. However, they also said they’d focus on the security protocols overall rather than just fixing the bug for the next update.
“Before pushing any future update, we will be implementing multiple changes and upgrades to our security protocols to ensure the quality and safety of Osmosis. A comprehensive retrospective on secure development processes will be done by several core development entities.”
As the update’s scope is relatively large, the Osmosis team estimates that the next upgrade will take at least two days to release.