December 5, 2023

DeFi protocol Conic Finance revealed that it was attacked, with attackers stealing more than 1,700 ETH worth $3.6 million from one of its Omnipools.

Conic Finance is a liquidity pool balancing platform for the decentralized finance protocol Curve.

Details of the hack

According to security firm BlockSec, the root cause of the attack was price manipulation due to “read-only reentrancy.” Reentrancy is a common bug that allows an attacker to exploit a smart contract by tricking it into repeatedly calling the target protocol and stealing its assets. A call is an authorization for a smart contract to interact with a user’s wallet address. Web3 Risk Alert source Beosin said a single transaction sent the nearly stolen amount to a new ethereum address. Conic Finance contacted the user, tweeting that they are investigating the bug and will share an update soon.

“We are currently investigating a vulnerability involving ETH Omnipool and will share an update as soon as it becomes available.”

Security firm PeckShield also analyzed the attack, revealing that the root cause stems from the protocol’s new CurveLPOracleV2 contract. The company tweeted,

“Hi @ConicFinance. Based on our initial analysis of the malicious transaction, our initial analysis showed that the root cause came from the new CurveLPOracleV2 contract. FWIW, our audit found a similar read-only reentrancy issue. However, the same issue occurred in the newly launched CurveLPOracleV2 contract, which was not part of the scope of the audit.”

curve Conic Finance has also been following up, saying that the main problem has been identified and only ETH Omnipool is affected.

“If you have funds on @ConicFinance please delete! Seems like there was an attack but it wasn’t drained all at once”

cone A detailed version of the incident was later tweeted, stating that they were alerted of a breach affecting the $crvUSD Omnipool, adding that they had taken all possible security measures to limit the attack.

“About four hours ago we were alerted to an exploit affecting the $crvUSD Omnipool. In response to this, and in light of today’s ETH vulnerability, we immediately implemented maximum security measures and temporarily shut down all Omnipools.”

DeFi cracks a major problem

The decentralized finance ecosystem has been plagued by a series of problems high profile hacking Affects multiple major projects. A report by Web3 portfolio app De.Fi underscores the magnitude of the problem. In the second quarter of 2023 alone, DeFi hacks and scams resulted in attackers stealing more than $200 million, the report said. However, compared to the first quarter of 2023, the losses caused by DeFi hacks in the second quarter were smaller, with CertiK reporting more than $320 million in protocol losses between January and March.

Conic Finance just recently went live, allowing users to deposit tokens into their Omnipools. Omnipools allow users to diversify their investments in various fields curve Ecosystem and increase rewards. Once launched, Conic Finance was able to attract millions of dollars in funding, underscoring the huge demand for such products. Conic’s Omnipools work by distributing a single asset’s liquidity across multiple Curve pools. Curve Liquidity Provider (LP) tokens are staked on Convex, boosting CRV rewards.

Disclaimer: This article is for informational purposes only. It does not provide or be intended to be used as legal, tax, investment, financial or other advice.