Conic Finance, a platform for balancing liquidity pools for the Curve decentralized finance protocol, has been the victim of an Ethereum omnipool exploit.
According to the Web3 risk-alert site Beosin Alert, Conic Finance was taken advantage of for $3.26 million in Ether (ETH $1,889) on July 21. Beosin’s research shows that almost all of the stolen Bitcoin was transferred to a fresh Ethereum address in a single transaction.
Conic Finance quickly responded to the story on Twitter by confirming it and noting that the platform is looking into the issue and would post updates as soon as they become available.
Initial research conducted by blockchain security company Peckshield indicates that the new CurveLPOracleV2 contract was the primary culprit. Peckshield wrote:
“Our audit identifies a similar read-only reentrancy issue. However, the same issue is introduced in the newly introduced CurveLPOracleV2 contract, which was not part of the audit scope,”
Conic Finance also claimed it had stopped ETH Omnipool deposits on the Conic front end one hour after the initial notification of the hack.“Followed with Conic on this one. Issue was identified, only ETH omnipool is affected there,” Curve Finance subsequently wrote.
DeFi hacks and frauds allowed thieves to steal more than $204 million in the second quarter of 2023 alone, according to research from Web3 portfolio app De.Fi.
Despite this, DeFi breaches and scams caused losses in Q2 that were lower than those in Q1—CertiK reported that over $320 million was lost between January and March.
