Conic Finance is a liquidity pool balancing platform for Curve Finance. In July 2023, the protocol experienced an attack in which the exploiter stole an estimated $3.26 million.
Inside the Attack
The attack against Conic Finance exploited a read-only reentrancy vulnerability. The vulnerability existed in the CurveLPOracleV2 contract, which was recently deployed.
By exploiting the vulnerability, the attacker was able to manipulate the perceived price of assets in the project’s Ether pool. This allowed the attackers to drain approximately $3.26 million from ETH Omnipool.
Lessons Learned from the Attack
Read-only reentrancy vulnerabilities have become common in recent months. This attack was especially painful because an identical vulnerability was discovered in a different smart contract during a previous audit of Conic Finance’s contracts. However, this contract was outside the scope of the audit, and the project team did not apply the lessons learned in the audit to other contracts before launch.
Major DeFi hacks are a regular occurrence, and many can be prevented by a comprehensive audit of all smart contracts before launch. To learn more about securing your smart contracts, contact us.