This article is more than one year old

Conic Finance suffers $3m exploit in twist to ‘typical re-entrancy attack’

Conic Finance suffers $3m exploit in twist to ‘typical re-entrancy attack’
DeFi
Conic Finance released a new smart contract that contained a vulnerability someone exploited for more than $3 million Friday.
  • Conic Finance has been the victim of a $3 million hack.
  • The re-entrancy attack is similar to the $60 million exploit that fell The DAO in 2016.

A hacker stole more than $3 million from DeFi protocol Conic Finance on Friday, with a new twist on a common smart-contract vulnerability.

Several hours later, it suffered a second, $300,000 exploit unrelated to the first.

The vulnerability exploited in the first hack was introduced in one of Conic’s newest smart contracts, according to Conic auditor PeckShield.

PeckShield said the smart contract was outside the scope of its audit.

“This is a typical re-entrancy attack,” Matthew Jiang, director of security services at Blocksec, told DL News.

Re-entrancy attacks have been behind some of the largest hacks in DeFi history, including the $60 million exploit that felled The DAO in 2016.

NOW READ: A 20-year-old Argentinian behind the $200m Euler hack says he’s now in a Paris jail

But Friday’s hacker employed a relatively new twist on the old exploit, according to Nikita Kirilov, a researcher at blockchain security firm Pessimistic.

Join the community to get our latest stories and updates

“For the last couple of years, as a web3 community, we have become more mature regarding security, and simple re-entrancy mistakes rarely happen,” he told DL News.

“Read-only re-entrancy is a bit different. It usually appears in big protocols which involve a lot of contracts and a lot of states that are dependent on one another.”Finding those vulnerabilities “might be extremely difficult,” he added, “simply because there are many details to check manually.”

That has made re-entrancy attacks hard to stamp out, according to Jiang, due to the complex interactions between multiple contracts within DeFi protocols.

“Meanwhile, some DeFi protocols are developed and launched relatively quickly, due to rapidly changing markets, which means that some protocols may not undergo the same level of rigorous testing and auditing.”

NOW READ: DeFi whitehats spotted a bug that risked $5.2m. They were offered a $500 bounty

Conic allows users who provide liquidity in Curve, a decentralised stablecoin exchange, to diversify their exposure to Curve’s token pools.

Total value locked on Conic Finance dropped from about $150 million to $110 million after an exploit Friday.

The first exploit only affected the protocol’s ether omnipool, according to the protocol, and an update patched the vulnerability several hours after the hack.

The ether omnipool was recently launched, according to Curve, and had only $3 million in liquidity early Friday.

Several hours after the first hack, however, Conic was forced to freeze deposits across all omnipools. Curve urged its followers on Twitter to withdraw assets deposited to Conic, writing, “there [seems] to be an attack.”

Users took heed. The total value of crypto deposited in Conic plunged Friday, from more than $150 million to about $75 million.

Egorov told DL News it was not immediately clear whether both exploits took advantage of the same vulnerability.

Cybercriminals have stolen over $527 million from different DeFi entities this year, according to DefiLlama.

Cybercriminals have stolen over $527 million from different DeFi entities this year, according to DefiLlama.

Ransomware gangs are on track to steal almost $900 million in crypto in 2023, making it the second worst year for ransomware crime ever, according to a recent Chainalysis report.

Update, July 21: The story has been updated to include information about a subsequent hack and drop in Conic TVL.

Aleks Gilbert covers decentralised finance for DL News. Have a tip on Ethereum security? Contact the author at aleks@dlnews.com.