DeFi Protocol Conic Finance Hacked, Loses $3.2 Million Worth of ETH
onic Finance, a protocol offering diversified exposure to liquidity pools on Curve, has been hit hard by two recent exploits, resulting in a significant loss of deposits.
Conic Finance, a DeFi protocol, has experienced a severe blow as it suffered two separate exploits last week, leading to the loss of two-thirds of its deposits.
The incidents, which occurred on July 21, came to light in a post-mortem report on July 23, revealing a total loss of $4.1 million.
"We feel devastated by this situation and will do everything in our power to recover the stolen funds," the team said.
This series of events has severely shaken investor confidence in the platform, causing the total value locked in Conic to plummet by 72%, going from $157 million to $43 million in a short span.
The native token of the platform, CNC, has also faced a steep decline of 57% over the same period.
As a response to the security breaches, Conic Finance has disabled new deposits temporarily.
The team is working to address all security concerns before allowing capital inflows.
Meanwhile, users can still make withdrawals, and existing liquidity providers continue to receive their usual yield.
The incident serves as a stark reminder of the risks involved in DeFi farming, particularly for those seeking higher yields.
While protocols like Conic may offer boosted rewards compared to established ones like Curve Finance, the added yield comes with greater smart contract complexity, exposing them to potential attack vectors that hackers can exploit.
Conic's unique Omnipools spread users' deposits across multiple Curve pools and stake the corresponding LP tokens on Convex Finance, yielding additional rewards.
This setup allows users to earn rewards in the form of Curve's CRV, Convex's CVX, and Conic's CNC tokens, along with trading fees on Curve.
The platform, which launched in March, attracted significant attention due to its innovative approach.
The first attack on Conic targeted its ETH Omnipool using a reentrancy attack.
This malicious maneuver allowed the attacker to repeatedly call a function within the smart contract, exploiting its logic to drain funds and manipulate data.
By manipulating the price of the rETH Curve LP token, the attacker managed to mint more cncETH LP tokens than their rETH collateral should have allowed.
This attack led to a substantial loss of $3.2 million for Conic.
Despite having safeguards in place to protect against reentrancy attacks, the exploit managed to take advantage of a false technical assumption regarding Curve v2 pools in the platform's code.
Shortly after the first attack, Conic was alerted to suspicious transactions affecting its crvUSD Omnipool.
In response, the team took swift action, shutting down all of its Omnipools.
This second exploit involved a complex sandwich attack, resulting in a total loss of approximately $934,000, with the attacker making around $300,000 in profits.