DeFi protocol Conic Finance revealed that it had suffered an exploit, with the attacker draining over 1700 ETH worth $3.6 million from one of its Omnipools.
Conic Finance is a liquidity pool balancing platform for the decentralized finance protocol Curve.
Details Of The HackAccording to security firm BlockSec, the attack’s root cause was price manipulation caused by “read-only reentrancy.” Reentrancy is a common bug that allows attackers to exploit smart contracts by tricking them into making repeated calls to the targeted protocol and stealing its assets. A call is an authorization for a smart contract to interact with a user’s wallet address. Web3 risk-alert source Beosin stated that a single transaction sent nearly the stolen amount to a new Ethereum address. Conic Finance reached out to users, tweeting they were investigating the exploit and would share updates soon.
“We are currently investigating an exploit involving the ETH Omnipool and will share updates as soon as they are available.”
Security firm PeckShield also analyzed the attack, revealing the root cause to be originating from the protocol’s new CurveLPOracleV2 contract. The firm tweeted,
“Hi, @ConicFinance. Based on the initial analysis from the malicious tx, our initial analysis shows the root cause comes from the new CurveLPOracleV2 contract. FWIW, our audit identifies a similar read-only reentrancy issue. However, the same issue is introduced in the newly introduced CurveLPOracleV2 contract, which was not part of the audit scope.”
Curve has also been following up with Conic Finance, stating that the primary issue had been identified and only the ETH Omnipool was impacted.
“If you have funds on @ConicFinance please remove! There seem to be an attack, which though doesn't drain all in one go”
Conic later tweeted a detailed version of events, stating that they were alerted of an exploit impacting the $crvUSD Omnipool, adding they had taken all possible safety measures to limit the attack.
“Roughly four hours ago, we were alerted of an exploit affecting the $crvUSD Omnipool. In response to this and given today’s ETH exploit, we immediately enforced maximum safety measures and temporarily shut down all Omnipools.”
DeFi Hacks A Major ProblemThe decentralized finance ecosystem has been plagued by a series of high-profile hacks impacting several major projects. A report by Web3 portfolio application De.Fi highlighted the scale of the problem. The reports stated that DeFi hacks and scams resulted in attackers stealing over $200 million in the second quarter of 2023 alone. However, losses to DeFi hacks were smaller in Q2 when compared to Q1 of 2023, with CertiK reporting that protocols lost over $320 million between January and March.
Conic Finance had only recently gone live, allowing users to deposit tokens into their Omnipools. Omnipools allowed users to diversify their exposure across the Curve ecosystem and also increased rewards. After going live, Conic Finance was able to attract millions of dollars in capital, highlighting the huge demand for such a product. Conic’s Omnipools work by allocating the liquidity of a single asset across multiple Curve pools. Curve liquidity provider (LP) tokens are staked on Convex, boosting CRV rewards.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.