- Conic Finance has been the victim of a $3 million hack.
- The re-entrancy attack is similar to the $60 million exploit that fell The DAO in 2016.
A hacker stole more than $3 million from DeFi protocol Conic Finance on Friday, with a new twist on a common smart-contract vulnerability.
Several hours later, it suffered a second, $300,000 exploit unrelated to the first.
The vulnerability exploited in the first hack was introduced in one of Conic’s newest smart contracts, according to Conic auditor PeckShield.
PeckShield said the smart contract was outside the scope of its audit.
“This is a typical re-entrancy attack,” Matthew Jiang, director of security services at Blocksec, told DL News.
Re-entrancy attacks have been behind some of the largest hacks in DeFi history, including the $60 million exploit that felled The DAO in 2016.
NOW READ: A 20-year-old Argentinian behind the $200m Euler hack says he’s now in a Paris jail
But Friday’s hacker employed a relatively new twist on the old exploit, according to Nikita Kirilov, a researcher at blockchain security firm Pessimistic.
“For the last couple of years, as a web3 community, we have become more mature regarding security, and simple re-entrancy mistakes rarely happen,” he told DL News.
“Read-only re-entrancy is a bit different. It usually appears in big protocols which involve a lot of contracts and a lot of states that are dependent on one another.”Finding those vulnerabilities “might be extremely difficult,” he added, “simply because there are many details to check manually.”
That has made re-entrancy attacks hard to stamp out, according to Jiang, due to the complex interactions between multiple contracts within DeFi protocols.
“Meanwhile, some DeFi protocols are developed and launched relatively quickly, due to rapidly changing markets, which means that some protocols may not undergo the same level of rigorous testing and auditing.”
NOW READ: DeFi whitehats spotted a bug that risked $5.2m. They were offered a $500 bounty
Conic allows users who provide liquidity in Curve, a decentralised stablecoin exchange, to diversify their exposure to Curve’s token pools.
The first exploit only affected the protocol’s ether omnipool, according to the protocol, and an update patched the vulnerability several hours after the hack.
The ether omnipool was recently launched, according to Curve, and had only $3 million in liquidity early Friday.
Several hours after the first hack, however, Conic was forced to freeze deposits across all omnipools. Curve urged its followers on Twitter to withdraw assets deposited to Conic, writing, “there [seems] to be an attack.”
Users took heed. The total value of crypto deposited in Conic plunged Friday, from more than $150 million to about $75 million.
Egorov told DL News it was not immediately clear whether both exploits took advantage of the same vulnerability.
Cybercriminals have stolen over $527 million from different DeFi entities this year, according to DefiLlama.
Ransomware gangs are on track to steal almost $900 million in crypto in 2023, making it the second worst year for ransomware crime ever, according to a recent Chainalysis report.
Update, July 21: The story has been updated to include information about a subsequent hack and drop in Conic TVL.
Aleks Gilbert covers decentralised finance for DL News. Have a tip on Ethereum security? Contact the author at aleks@dlnews.com.
