Share this article
DeFi protocol Conic Finance reported a loss of 1,700 ETH, valued at over $3.2 million. Blockchain security firm BlockSec traced this incident to an unidentified hacker exploiting a reentrancy vulnerability early this morning.
Conic quickly alerted its userbase via Twitter, confirming the exploit involving ETH Omnipool, launched on July 10, and only affecting ETH pools.
We are currently investigating an exploit involving ETH Omnipool and will share updates as they become available.
— Conic Finance (@ConicFinance) July 21, 2023
Conic Finance, known for allocating funds through the decentralized exchange Curve using liquidity pools, fell victim to a two-pronged attack involving vulnerability and manipulation of a price oracle.
In this case, the attacker took out a flash loan of 20,000 staked ETH, redirect to Conic’s price oracle, facilitating the feat. The vulnerability was used in conjunction with a manipulation of Conic’s price oracle, which obtains its data from a read-only third-party smart contract.
Hi @ConicFinance Based on the initial analysis of the malicious tx, our initial analysis shows that the root cause is from the new CurveLPOracleV2 contract.
FWIW, our audit identifies a similar read-only reentrancy issue. However, the same problem is… pic.twitter.com/bXXC7y1OCL
— PeckShield Inc. (@peckshield) July 21, 2023
In a tweet, Conic update his community: “Update: – We are continuing to investigate the root cause of the exploit and are consulting with affected parties. – We have disabled ETH Omnipool repositories on the Conic front-end.