The decentralized finance (DeFi) protocol Conic Finance has lost more than $3.2 million worth of Ether (ETH) in two separate hacking incidents in recent days.
The first attack, which happened on Friday last week, was described by the Conic Finance team as a âre-entrancy attackâ that exploited a vulnerability in Curve V2 pools, earning the attacker 1,700 ETH tokens.
âA fix to the affected contract is being deployed,â the team wrote.
The team went on to assure the community that the exploit âcannot be done againâ for the same Omnipool, and said that âno other Conic Omnipools are affected by this issue.â
2/ The exploit cannot be done again for the ETH Omnipool.
â Withdrawals are safe
â No other Conic Omnipools are affected by this issue
â A more detailed post mortem will be published soon
We will continue to share updates.
â Conic Finance (@ConicFinance) July 21, 2023
Second attack
A few hours later, however, the team again reported that they had suffered an exploit, this time draining approximately $300,000 worth of tokens from the crvUSD Omnipool.
âIn response to this and given todayâs ETH exploit, we immediately enforced maximum safety measures and temporarily shutdown all Omnipools,â a new tweet from Conic Finance said.
The team stressed that the second attack was âunrelated to the ETH Omnipoolâs re-entrancy exploit.â
2/ This second attack was unrelated to the ETH Omnipool’s re-entrancy exploit.
The attacker was able to realize a profit of approximately $300k by exploiting the crvUSD Omnipool.
We will share more updates as we continue to investigate.
â Conic Finance (@ConicFinance) July 21, 2023
âExtremely difficultâ two days
In a post-mortem update published after the two attacks, the Conic Finance team admitted that the past two days have been âextremely difficult.â
âWe feel devastated by this situation and will do everything in our power to recover the stolen funds,â the team said.
The post-mortem update appeared to place part of the blame for both of the attacks on Curve, saying about the second incident that interaction with âimbalanced Curve poolsâ caused the vulnerability.
Curve is a decentralized exchange (DEX) for stablecoins that uses the automated market maker (AMM) model to manage liquidity.
âWhile we did have some mechanism in place to ensure we did not interact with imbalanced Curve pools, the bounds that we had set were not tight enough and allowed the attacker to slowly drain funds from the pool,â the team wrote.
Despite this, the update also said that Curveâs team members âdeserve recognition for their massive help and support.â
Conic Finance is a relatively new DeFi project, and the protocolâs token, CNC, is for now only listed on MEXC and CoinEx in addition to a few decentralized exchanges.
As of press time on Monday, the CNC token was down by 45% over the past 7 days, data from CoinGecko showed.