On Friday, Conic Finance, a decentralized finance (DeFi) protocol, announced that it had fallen victim to an exploit, enabling an attacker to seize more than 1,700 ether (ETH). At current market prices, the stolen amount is valued at over $3.6 million. The attack specifically targeted one of its Omnipools.
According to security firm BlockSec, the attack's primary reason was price manipulation through 'read-only reentrancy.' Reentrancy is a prevalent vulnerability that enables attackers to deceive smart contracts by making repetitive calls to a protocol, ultimately resulting in asset theft. Each call acts as authorization for the smart contract address to interact with a user's wallet address.
Conic Finance, launched on March 1st, introduces an innovative feature called Omnipools, empowering users to deposit tokens and gain diversified exposure within the Curve ecosystem. This groundbreaking product not only enhances rewards but also proved incredibly popular, drawing in millions of dollars in capital shortly after its launch. The overwhelming response underscores the massive demand for this type of financial solution.
Each Omnipool distributes the liquidity of a single asset across various Curve pools. All Curve liquidity provider (LP) tokens are then staked on Convex to enhance the earnings from Curve (CRV) rewards. Additionally, Convex (CNX), another token within the Curve ecosystem, receives rewards, along with Conic (CNC), the native token of Conic.
In the meantime, developers at Conic Finance have taken to Twitter to inform the community that they are actively investigating the core reason behind the exploit and engaging in consultations with relevant stakeholders.
The developers stated that they successfully shut down the problematic pool, which seemingly facilitated the hack. "We have disabled ETH Omnipool deposits on the Conic front end," they announced.