Kevin @Berrey | Sunny @sunnya97
WorkerBee @WorkerBee_3 - Support Lab
tl;dr
—post-exploit: team is instituting much more thorough pre-upgrade testing/QA procedures
-all funds are being restored (in exact tokens) to those affected: roughly $3.5m returned by exploiters, $2m from Osmosis Foundation
—Osmosis Support is live, 24/7 support!!
—OSMOCON: went very well, lots of buzz around the Osmosis ecosystem
-videos coming soon
What was the bug?
-every time you added liquidity to a pool, it gave you 50% more LP shares than you were supposed to get
-this was due to how we were calculating how many shares to give to people
-when providing 2 assets, will not necessarily be at exactly the pool ratio, so there were some necessary recalculations to bring it in line — this recalc was off
-there were lots of people who accidentally got a bit too much
-some exploiters noticed and cycled the process: join, get too much, leave, join again, etc.
K: What was happening while Osmosis was down?
-the bug was pretty simple: it should have been caught during testing
-so we are revamping our testing/QA processes
-during the v9 upgrade, we changed the AMM module heavily
-so we wrote lots of tests for the aspects that were being upgraded
-but not for simpler things
-in the rush to get things out pre-Osmocon, we skipped connecting the front-end to the testnet, and therefore didn’t do proper end-to-end testing
—found and patched bug quickly
-lots of time spent on looking for other bugs
-writing more and more tests
-also, this was the first time we emergency stopped (vs. an upgrade proposal or a halt height): had to make sure that the validators were able to restart properly
-chain was down Tuesday night to Sunday morning
-also during that time was Osmocon, which took some time
K: will we be able to see the Osmocon presentations?
K: enjoyed the reference to Devcon 2
S: yeah, those were the famous Shanghai attacks (based on opcodes that were cheaper than they should have been, allowing some ddos attacks)
K: so we’re going to have new protocols for future upgrades?
S: yeah, v9 was too rushed — the AMM refactor wasn’t even the main event of the upgrade (TokenFactory and Interchain Accounts)
-so we need to upgrade our processes
-we’ll have a better playbook: longer testnet time, enable front-end for community, we did a post-bug code walkthrough, so we’ll do that ahead of time next time with the validators (or anyone who wants to participate)
$5.5m stolen from LPs – about 5 actors knowingly/repeatedly abusing the bug – consecutive join, exit, join, exit
Largest: 3.5m, 1.5m, then lower from there
–every exploiter but one has contacted to return or returned (15k)
–largest exploiter, some returned, 300k ATOMs sold through Sifchain and had like two-thirds slippage – turned 3m into 1m, so that money is gone
–that shortfall will be covered by the foundation, 2.5m
WorkerBee: Osmosis Support is live!
-just click the widget for support (no scammers—unlike social media)
-there are Support Videos, as well — from a CEX to Osmosis
-there are written articles/FAQs
-Support Lab info
—we’ve been getting 1-2 users/hr. so far with no big announcement of the launch (and into the teeth of this crypto winter)
Osmocon:
—not giving a big, all-inclusive update
—wait for the videos! soon — will be on the Osmosis YouTube
K: favorite presentation?
S: hmm…John Patten’s WosmoNFTs (@osmosisnfts) presentation was cool — why it’s important, tying them into identity systems
-Mars Protocol demos were cool
-Dora cross-chain Explorer presentation was cool
-lots of others!