DeFi platform Conic Finance’s Omnipool contract exploited for $3.2M in ETH

Conic Finance, a prominent decentralized finance (DeFi) protocol known for its liquidity pool balancing service on the Ethereum network, fell victim to a sophisticated exploit, resulting in the loss of approximately $3.2 million worth of Ethereum. The incident was brought to light by Beosin Alert, a Web3 risk-alert source, on July 21. An alarming discovery revealed that nearly the entire stolen sum was rapidly transferred to a previously unknown Ethereum address in a single transaction, raising concerns about the security of the platform.

Confirming the hack, Conic Finance promptly acknowledged the breach on its official Twitter account, assuring its community that a thorough investigation into the matter was underway. The platform pledged to keep users informed about any developments as soon as they became available.

According to the initial analysis conducted by Peckshield, a reputable blockchain security firm, the root cause of the breach was traced back to the newly implemented CurveLPOracleV2 contract. This contract was found to contain a read-only reentrancy vulnerability, although it had not been included in the scope of the prior security audit.

Shortly after news of the exploit surfaced, Conic Finance took proactive measures by disabling ETH Omnipool deposits on their frontend, effectively preventing further deposits and potential damage. Curve Finance, the DeFi protocol linked to Conic Finance, collaborated with the affected platform to address the issue, confirming that the exploit specifically impacted the ETH omnipool.

The incident has once again shed light on the persistent vulnerability of DeFi platforms to hacking attempts. A recent report by De.Fi, a Web3 portfolio app, exposed that DeFi-related hacks and scams amounted to over $204 million in losses during the second quarter of 2023 alone. Nevertheless, it is worth noting that the losses in Q2 were relatively lower than those experienced in the previous quarter. CertiK, a blockchain security firm, reported that the first quarter of 2023 witnessed losses surpassing $320 million.

The Conic Finance hack highlights the critical importance of rigorous security audits and continuous vigilance within the DeFi ecosystem. As the industry continues to evolve and attract more users and assets, robust security measures and best practices are imperative to safeguarding user funds and preserving trust in the rapidly expanding DeFi landscape.