Conic Finance, a promising Layer 1 blockchain known for its “Play to Own” principle, has been hit by two severe attacks that have shaken the decentralized finance (DeFi) community. As a result of the first exploit, $3.3 million was drained from the ETH pool, and the second attack forced the team to close down all the pools. As in the past, both attacks exploited the read-only reentrancy vulnerability plaguing the DeFi space.
The initial hack targeted the CurveLPOracleV2 contract, allowing the attacker to manipulate token prices and withdraw more funds than deposited. An audit identified the vulnerability, but unfortunately, a new Oracle contract reintroduced the bug. Though 90% of the profits from the second attack were returned the following day (81 ETH), over 1700 ETH remains at the frontrunner’s address.
In a postmortem, Conic’s developers clarified that the contract had reentrancy protection. Still, it did not automatically activate due to a mix-up between the addresses for ETH and WETH.
Conic Finance’s reputation was tarnished by the second attack in the form of a sandwich attack against imbalanced pools, albeit with less damage than the first. A $50 profit was made from the exchange of crvUSD to USDC by the attacker, which resulted in an approximately $934,000 loss and a $300,000 profit for Conic.
The impact of these attacks extended beyond Conic, as the wider DeFi ecosystem felt the repercussions. The team provided safe havens to farmers in addition to warning them of the dangers.
DeFi experts considered Conic Finance a strong contender for CVX/Yearn next cycle before the attacks. CNC’s price, however, plummeted from around $6 to only $1.72 after the second attack as a result of the incidents. While it has since recovered to around $2.75, it remains below half of its worth before the hack.
As Conic navigates the aftermath of these attacks, the DeFi community emphasizes the importance of bolstering security measures and conducting thorough audits to protect user funds and maintain trust in the ecosystem. The incidents are stark reminders that the DeFi space is not immune to risks and vulnerabilities, highlighting the need for continuous vigilance and collaborative efforts to ensure a safer and more sustainable environment for all participants.