Conic Finance, a liquidity pool balancing platform for the decentralized finance (DeFi) protocol Curve, has suffered an exploit on the Ethereum omnipool.
Conic Finance has been exploited for $3.26 million in Ether (ETH), the Web3 risk-alert source Beosin Alert reported on July 21. Nearly the entire amount of stolen cryptocurrency was sent to a new Ethereum address in just one transaction, according to data provided by Beosin.
Transactions on the address involving a flashloan exploit on Coin ETH Pool. Source: Etherscan
Conic Finance was quick to confirm the news on Twitter, stating that the platform is currently investigating the exploit and will share updates as soon as they are available.
According to the initial analysis provided by the blockchain security firm Peckshield, the root cause came from the new CurveLPOracleV2 contract.
“Our audit identifies a similar read-only reentrancy issue. However, the same issue is introduced in the newly introduced CurveLPOracleV2 contract, which was not part of the audit scope,” Peckshield wrote.
In about an hour after the initial report on the attack, Conic Finance also reported that the platform disabled ETH Omnipool deposits on the Conic front end.
Related: DeFi protocol Arcadia Finance hacked on Ethereum and Optimism for $455K
“Followed with Conic on this one. Issue was identified, only ETH omnipool is affected there,” Curve Finance subsequently wrote.
DeFi hacks are not something new to the industry. According to a report by Web3 portfolio app De.Fi, DeFi hacks and scams allowed hackers to steal more than $204 million in the second quarter of 2023 alone. The losses from DeFi hacks and scams were actually smaller in Q2 than in Q1 though, with CertiK reporting that over $320 million was lost from January to March.
Magazine: Hall of Flame: Wolf Of All Streets worries about a world where Bitcoin hits