This article is more than nine months old

Conic on its $4m loss in hacks: We ‘don’t blame the auditors’

Conic on its $4m loss in hacks: We ‘don’t blame the auditors’
In a pair of exploits Friday, hackers exploits Conic's ether and crvUSD "omnipools" for a combined $4 million.
  • Conic Finance has suffered two hacks where cybercriminals stole $4 million, causing its total value locked to plunge by $100 million.
  • While auditor PeckShield said one of the exploits wasn’t part of its audit, Conic disputed that statement in a post-mortem of the hacks.

Crypto deposited in Conic Finance has fallen by over $100 million after the DeFi protocol lost $4 million in two hacks on Friday.

On the eve of the heists, users had deposited over $150 million worth of crypto in the protocol. On Monday, the total value locked — the amount of investor deposits — in the protocol had fallen to less than $45 million.

Conic Finance total value locked

Conic’s auditor PeckShield quickly attributed the initial $3 million exploit to a vulnerability in a recently released smart contract that, it said, was outside the scope of the audit it published in February.

But Conic disputed that analysis in a post-mortem published over the weekend.

The smart contract PeckShield had flagged was not the source of the exploit, according to Conic.

Instead, the protocol’s built-in protection against the exploit had failed to kick in because its developers had made a “wrong assumption” when integrating it with the Curve stablecoin exchange, Conic’s pseudonymous core contributor bb8 told DL News.

That vulnerability was within the scope of PeckShield’s audit, bb8 said. Nevertheless, “we don’t blame the auditors for the issues that allowed these exploits to happen,” they said.

Conic is a liquidity pool-balancing platform for DeFi protocol Curve.

Join the community to get our latest stories and updates

NOW READ: Conic Finance suffers $3m exploit in twist to ‘typical re-entrancy attack’

It allows users who provide liquidity in Curve to diversify their exposure to the exchange’s token pools via so-called omnipools.

Users deposit tokens to omnipools, which then programmatically allocate those tokens across different Curve pools.

Due to an integration issue with the Ether omnipool, in the first exploit, the hacker was able to manipulate the price of a token and trick the omnipool into minting more tokens than it should for their deposits.

“They were able to run this attack in a loop, depositing and withdrawing at a positive exchange rate to drain funds from the omnipool,” Conic said in its post-mortem.

Sandwich attack

Several hours later, another attacker executed a series of so-called sandwich attacks on the crvUSD omnipool. crvUSD is Curve’s new stablecoin, launched in May.

During a sandwich attack, a so-called MEV bot will front-run another person’s pending transaction in the same block, by getting the block validator to order their transactions such that the bot buys an asset lower before the pending transactions and then — after the pending transaction is completed and the asset in question appreciates — sells it higher for a profit, all in the same block.

By manipulating the exchange rate on Curve of two dollar-pegged stablecoins, crvUSD and USDC, the attacker was able to withdraw more crvUSD from Conic than they had deposited, according to bb8.

The attacker deposited about $600,000 in crvUSD and withdrew about $900,000, netting a $300,000 profit.

NOW READ: Wintermute hacker turns $160m heist into top liquidity position on Curve Finance

According to the post-mortem, a mechanism meant to prevent any interaction with imbalanced Curve pools was not “tight enough.”

Nevertheless, it prevented the attacker from instantly draining the crvUSD pool, which allowed Conic to “drastically limit losses,” bb8 said.

Conic developers immediately paused deposits to all of the protocol’s omnipools — cutting off the digital larcenist’s ability to continue looping their exploit — but have kept withdrawals open.

Recovery roadmap

Conic said it will publish a recovery roadmap “in the coming days” but declined to share details with DL News.

In the meantime, the team, which consists of five core developers and several contributing “community developers,” is attempting to negotiate with the hackers.

NOW READ: How hackers turn stolen crypto into cash

MEV bots were able to arbitrage the imbalance caused by the second exploit, and unwittingly stole money from Conic, according to bb8.

One MEV bot owner returned 90% of the money taken — about $150,000 worth of Ether — and kept the remaining 10% as a whitehat bounty, according to a message Conic embedded in a transaction with another hacker.

bb8 said the support from Conic and Curve users in the wake of the hacks was “hard to fathom.”

“I’ve always held an optimistic view on DeFi and I’d be lying if I said what happened didn’t test that,” they said. “However, experiencing the communities’ response has, if anything, reminded me that we can beat the cancer of DeFi exploits if we all continue to work together.”

Correction: This article has been corrected to say that an MEV bot owner kept 10% of ether taken from Conic Finance.

If you have a tip about the Conic hack or another story, please email me at