Conic Finance DeFi Protocol Hacked, Losing 1,700 ETH
Conic Finance, a liquidity pool platform for the Curve protocol, was attacked on July 21, resulting in the loss of 1,700 ETH.
Conic Finance Omnipool Platform Hacked
According to security experts at BlockSec, the DeFi protocol Conic Finance was attacked by an unidentified hacker on the evening of July 21, 2023, resulting in the loss of approximately 1,700 ETH (over $3.2 million).
The root cause is the price manipulation caused by the read-only reentrancy. @ConicFinance https://t.co/xoLgtpvJYP pic.twitter.com/AbmpckTOIz
— BlockSec (@BlockSecTeam) July 21, 2023
The hacker exploited a reentrancy vulnerability, repeatedly issuing withdrawal commands before the oracle could correctly update balances. This allowed the hacker to manipulate the platform’s pricing system (oracle) and successfully withdraw 1,700 ETH, equivalent to over $3.2 million.
Nearly all the stolen cryptocurrency was transferred to a new Ethereum address in a single transaction, according to data provided by BlockSec.
Transaction details of the hacker's wallet in the Conic Finance hack.
Source: Etherscan
The root cause of the exploit was identified as stemming from the new CurveLPOracleV2 contract, as analyzed by blockchain security firm PeckShield.
Hi @ConicFinance Based on the initial analysis from the malicious tx, our initial analysis shows the root cause comes from the new CurveLPOracleV2 contract.https://t.co/JmunQImiE5
— PeckShield Inc. (@peckshield) July 21, 2023
FWIW, our audit identifies a similar read-only reentrancy issue. However, the same issue is… https://t.co/lTgYq4Xp49 pic.twitter.com/bXXC7y1OCL
Conic Finance quickly confirmed the news on Twitter, stating that the platform is continuing to investigate the incident and has disabled deposits into the ETH Omnipool on Conic’s user interface.
Update:
— Conic Finance (@ConicFinance) July 21, 2023
- We are continuing to investigate the root cause of the exploit and are consulting with relevant parties.
- We have disabled ETH Omnipool deposits on the Conic front end. https://t.co/Oln0zh2nCs
Conic Finance is a DeFi protocol designed to allocate funds into the decentralized exchange Curve using the liquidity pools it operates.
Sturdy Finance Also Attacked via Oracle Exploit a Month Earlier
In the DeFi sector, oracles play a crucial role as they provide real-time price data. However, oracles are also a potential target for hackers to exploit vulnerabilities.
On June 12, 2023, the lending platform Sturdy Finance was compromised by hackers who took control of its oracle system, manipulated the prices, and successfully siphoned off $800,000. The hacker managed to deceive the oracle into displaying incorrect asset prices, in this case for stETH in the B-stETH-STABLE pool, and ultimately withdrew the funds from the platform.
Following the hack, Sturdy Finance announced a $100,000 bounty for the hacker if they returned the stolen ETH.
The frequency of DeFi protocol hacks is not new in the crypto market. Despite reports suggesting a decline in such incidents compared to previous years, the community continues to witness several exploits.
Most recently, in early July 2023, the Multichain bridge was suspected of being hacked when security firm PeckShield discovered $130 million in cryptocurrency being moved off the platform.
