According to an analysis of the attack by security firm BlockSec, the cause was "read-only reentrancy," which led to price manipulation.
Conic Finance, a decentralized finance (DeFi) protocol that commenced its operations on March 1, is known for its innovative product, Omnipools, which allows users to deposit tokens and diversify their exposure across the Curve ecosystem while increasing rewards.
Conic Finance's innovative approach involved allocating the liquidity of a single asset into various Curve pools within its Omnipools. To further incentivize participation, all Curve liquidity provider (LP) tokens were staked on Convex, enhancing the earnings in Curve (CRV) rewards. The Convex (CNX) token, an integral part of the Curve ecosystem, also received rewards, alongside Conic Finance's native token, Conic (CNC).
The feature attracted substantial attention from users, leading to a surge of investment with millions of dollars pouring into the platform, signaling a substantial demand for this type of product within the DeFi space.
However, on Friday, Conic Finance disclosed announced on Twitter that the platform had been exploited and that their team was currently investigating.
The DeFi Protocol took further measures after the initial report, stating that the platform made the decision to disable ETH Omnipool deposits on its front end.
The Exploit
The hack dealt a severe blow to Conic Finance, resulting in an attacker making off with over 1,700 ether (ETH), equivalent to more than $3.6 million based on current market values. The attack specifically targeted one of its Omnipools, where the attacker managed to exploit a vulnerability related to price manipulation, as identified by the security firm BlockSec.
This vulnerability, known as "read-only reentrancy," allowed the attacker to deceive the smart contract by repeatedly calling the protocol, ultimately enabling them to siphon off the assets.
Reentrancy is a common bug used by attackers to trick smart contracts into performing unintended actions, effectively granting unauthorized access to users' wallet addresses.
According to another initial analysis conducted by blockchain security firm Peckshield, the issue stemmed from the new CurveLPOracleV2 contract, which was not initially part of the audit scope.
In the exploit, the attacker employed a flash loan of 20,000 staked ETH as part of their strategy. This flash loan was utilized to manipulate Conic's price oracle, which draws its data from an external third-party read-only smart contract. By redirecting the flash loan towards the price oracle, the attacker was able to manipulate the oracle's data, creating an opportunity to execute the exploit.
Exploits are not new to DeFi, with the the decentralized space continually grappling with a persistent issue of hacks and scams. In July alone, there were 2 other noteworthy exploits with Multichain’s $130M exploit and Poly Network’s PolyBridge exploit happening just a few days apart.
Recent data from Web3 portfolio app De.Fi reveals that during the second quarter of 2023, DeFi hacks and scams resulted in the theft of more than $204 million. This alarming figure highlights the ongoing vulnerabilities and security challenges faced by the DeFi industry. Interestingly, while the losses from DeFi hacks and scams in Q2 were substantial, they were relatively smaller compared to the preceding quarter. According to a report by CertiK, the first quarter of 2023 saw a staggering $320 million lost to DeFi hacks and scams.