Hello Osmonauts,
What a week! Let’s dive right in…
TL;DR
The Osmosis network upgrade introduced an exploitable bug, and once discovered the team halted the chain for emergency maintenance.
About $5 mil was taken out of the platform, half of which has been returned and the other half will be covered by Osmosis to make users whole.
The chain is expected to restart this weekend (June 10-12) and airdrops distributed to affected wallets.
The situation showcases the strength of the Osmosis community, validators and dev and support teams. They were able to limit the damage, rectify the situation, and punish bad actors.
Highlights from Osmocon include a focus on security, NFTs, cross-chain composability, merchandise, and more. Video of the event will be posted soon.
There are several major ongoing and upcoming crypto conferences, the most relevant being the Cosmoverse, which will take place in Colombia this year.
I take a look at Stargaze NFTs, Osmosis merchandise, and share my experience with the new OnJuno crypto “paycheck” debit card and fiat on/off ramp.
Osmosis Exploit and Network Outage Summary
As I wrote about last week, the Osmosis network upgraded to V9, aka the “Nitrogen” update, on Tuesday June 7th. The update will be remembered for a long time to come, for the following reason..
As a result of the completed update, there was a bug introduced into the network around liquidity pools that allowed users to exploit the network and effectively steal funds from liquidity pools. Affected pools*:
Pool #1 - ATOM/OSMO
Pool #678 - USDC/OSMO
Pool #722 - EVMOS/OSMO
*May not be a complete list
When the dev team discovered the bug themselves (a validator noticed blocks were missing), the chain was halted for the emergency in ~12 minutes (this requires 2/3 of validators to agree, pretty impressive).
Malicious users were able to drain an estimated ~$5 million USD from these pools from the time the upgrade completed (11:30a PT / 16:30 UTC) to the time the chain was halted several hours later.
This was performed through repeated pool joins and exits
The bug allowed users to withdraw 50% more funds each time they exited
One Byzantine turned $226 to ~$2 million
Approximately half of the funds have already been recovered. The other half, if not recovered, will be covered by Osmosis’ Strategic Reserve fund, making investors who may have lost money whole. Perpetrators may face criminal charges.
For wallets that have yet to return funds, CEX’s where they sent the stolen funds were notified immediately by the Osmosis team and Law Enforcement was notified immediately as well, see the message from Sunny:
The chain is currently still halted at time of this writing, in an overabundance of caution the team is performing extensive testing to ensure security going forward. Users that visit the platform will see the following:
Osmosis is expected to restart this weekend, and airdrops of lost funds will be distributed to anyone that was affected negatively by the exploit.
Takeaways
This wasn’t a “hack” but rather a bug in the code that allowed users to engage in malicious behavior by repeatedly taking advantage of the bug.
Once discovered, rapid communication, coordination, and execution allowed the network validators to halt the chain to prevent any further funds from being lost within 12 minutes. Very impressive that the validators were able to all come together and perform emergency shut down this rapidly. I wish something similar would have been possible for the Terra collapse.
It is concerning that the bug made it through to production, which may signify a deficiency in the Osmosis’ team upgrade testing. I suspect this could have been exacerbated by the extremely last-minute push to make Osmocon happen on June 9th. I hope they learn from this, but am happy that things appear to have ended well, and Osmocon was a huge success.
The community was in a kerfuffle over the whole situation and I was impressed with the way that the Osmosis team handled it. They communicated a great deal of information timely and gave us the facts when they had them and acknowledged when they didn’t (while they were investigating).
Our perception of the Osmosis core team was strong prior to this, and remains so after. Our perception of the validator set is greatly increased.
Kudos to EmperorOsmo (of Hathor Node) for providing an amazing analysis and their transparent work which was posted to Github with the code required to trace malicious activity.
One of the exploiters was in fact a validator. The validator admitted wrong-doing and in the wake of backlash and community feedback, will be resigning as a validator from the network. Great to see justice served and (virtually) instant karma.
The Osmosis validator set is indeed a fantastic, talented, and inspiring group of people and will remain so for the foreseeable future. I could see this group growing strongly in the future.
All in all, our overall perception of the strength of Osmosis is increased, and we haven’t even covered Osmocon 2022 yet.
First Annual Osmocon(ference) - June 9th, 2022
The first ever Osmocon took place yesterday, June 9th, in Austin, TX (preceding the much larger Consensus conference this weekend there as well). Here are some highlights:
Security was a big focus. Enhanced security will be coming to Osmosis soon:
Planning to overhaul development and security pipelines
Code review process will be improved and include more parties (where do we sign up??)
WosmNFT’s were featured and discussed, and it looks like there may be some type of gamification element that will be introduced based on the screenshot and comments from Dogemos: (“use Osmosis, unlock badges and [NFT] items”)
Cross-chain Composability following inter-blockchain communication (IBC).
Composability is a system design concept that sounds like Legos - there are standard blocks or components that can stand alone, or built together into something greater than the sum of their parts.
Andromeda is bringing no-code options to create composable apps. Very cool indeed!
Bridges. Cosmos is great because the whole idea is to have many chains that can communicate with each other (via IBC). Bridges will connect the already-interconnected Cosmos to non-Tendermint based chains. Axelar is already doing this with Ethereum and Bitcoin.
Sounds and looks like fun; I hope to be there next year as I’m sure it will be even bigger and planned with more lead time. Video of the event will be shared on the Osmosis Discord in the near future.
Upcoming Cryptocurrency and Web3 Events
With Osmocon just completed, we head into one of the biggest DeFi conferences in the world this weekend, Consensus 2022! We’ll be covering some highlights on this next week.
The European Blockchain Convention takes place June 26-28, 2022 in Barcelona, Spain. I love Barcelona, and would consider attending just to get a chance to go back. The focus will be obviously on crypto and defi, but also blockchain for the entertainment and healthcare industries, as well as Web3 and Sustainability (environment, social causes, etc.)
Defcon 6, err… I mean DevCon VI, will take place in Bogota, Colombia likely in September or October (dates haven’t been set, only “later this year”). This is an Ethereum-based event focusing on decentralization and all things Ethereum.
Cosmoverse!!! The legendary Cosmoverse Conference will take place this year in Medellin, Colombia from September 27-28, 2022. Last year’s was in Lisbon, Portugal and was a huge success. Crypto in Latin America seems to be getting spicy!
What I’m Looking At
Stargaze NFT Marketplace
I’ve been seeing a lot of really interesting and cool looking Stargaze NFT’s. Most of them have a space or futuristic theme, which is right up our alley. Stargaze has also introduced an NFT by collection page where you get to track the floor price (minimum entry amount) for each collection. The Women from Cosmos pfp’s are starting at ~$1,000 - $2,800 each. Just head over to Stargaze’s Twitter profile, scroll, and feast your eyes on some on display.
Central Bank Digital Currency Assessment
The Federal Reserve recently released a report on Central Bank Digital Currencies (CBDC’s). It’s an interesting discussion in competition and digital payments. The full paper can be read here.
OnJuno Metal “Paycheck” Card*
Ledger recently partnered up with OnJuno to enable customers to receive their paycheck in crypto. I signed up for an OnJuno account and made my first direct deposit, earning $100 in the process as a sign-up bonus. OnJuno offers metal debit cards where you can choose to get paid in USDC, and earn 10% back on up to 10 brands you choose (you can change them too). Here are the brands that I choose to get 10% back at:
*OnJuno has no relation to the JUNO crypto/token.
You can also choose to get paid a certain % of your paycheck in Bitcoin or Ethereum (and a few others), which is a great way to DCA into these two. The companies also say you can easily transfer the crypto holdings to your Ledger after you connect the wallet address (Disclaimer: I haven’t tried this yet).
The metal cards start shipping on June 15th, and are only available in the US.
They will also pay you 6% in annual interest on your USDC holdings, and 3% annually on Bitcoin and Ethereum, not bad!
You can also link a bank account and cash out your crypto instantly if you like.
Anyone reading this can also take advantage of the $100 bonus offer as long as you set up a direct deposit of more than $250 from your paycheck and follow my referral link (for which I’d receive another bonus as well). You can then sign up your friends and family and earn more bonuses 🤑
Osmosis Merchandise
I’ve seen the items on display from OsmoCon already, so no getting them out of my head now. I’d love an Osmosis tee, and am looking forward to getting my own. The Marketing branch of Osmosis (aka “Ministry of Marketing”) said that the merch store is coming soon, so it will definitely be on our radar.
Outro
Well, this has been quite a week. Exponentially more so I’m sure for those closely involved in Osmosis chain’s development, validators, the core team, and anyone who attended Osmocon. Heck, they’re probably still at!
There’s some crazy conspiracy theories swirling out there that the network halt was all part of some divine plan to bring the focus to the conference. While the theory is comical, I highly doubt it, although coincidences have a funny way of turning out to be serendipitous, in the end.
Cheers,
Mike Broudy, ACS and StakeSchool.com founder