Share this article
DeFi protocol Conic Finance reported a loss of 1,700 ETH, worth over $3.2 million. Blockchain security firm BlockSec has traced this incident to an unidentified hacker who exploited a re-entry vulnerability early this morning.
Conic immediately notified its user base via Twitter, confirming the exploit involving the ETH Omnipool, launched on July 10 and affecting only ETH pools.
We are currently investigating an exploit involving ETH Omnipool and will share updates as they become available.
— Conic Finance (@ConicFinance) July 21, 2023
Conic Finance, known for distributing funds through Curve’s decentralized exchange using liquidity pools, came under fire in a two-pronged attack involving the vulnerability and manipulation of a price oracle.
In this case, the attacker took a quick loan of 20,000 ETH of the stock, redirecting it to Conic’s price oracle, facilitating the exploit. The vulnerability was used in conjunction with a manipulation of Conic’s price oracle, which derives its data from a read-only third-party smart contract.
Greetings @ConicFinance Based on initial analysis from malicious tx, our initial analysis indicates that the root cause comes from the new CurveLPOracleV2 contract.https://t.co/JmunQImiE5
FWIW, our audit identifies a similar read-only reentry issue. However, the same issue is… https://t.co/lTgYq4Xp49 pic.twitter.com/bXXC7y1OCL
— PeckShield Inc. (@peckshield) July 21, 2023
In a tweet, Conic updated its community: “Update: – We are continuing to investigate the root cause of the exploit and are consulting with the relevant parties. – We have disabled ETH Omnipool deposits on the Conic front end.”