Conic Finance, a liquidity pool balancing platform for the decentralized finance (DeFi) protocol Curve, has suffered an exploit on the Ethereum omnipool.
Conic Finance was exploited for $3.26 million in Ether (ETH), the Web3 risk-alert source Beosin Alert reported on July 21. Nearly the entire amount of stolen cryptocurrency was sent to a new Ethereum address in just one transaction, according to data provided by Beosin.
Conic Finance was quick to confirm the news on Twitter, stating that the platform is currently investigating the exploit and will share updates as soon as they are available.
According to initial analysis provided by blockchain security firm Peckshield, the root cause came from the new CurveLPOracleV2 contract.
“Our audit identifies a similar read-only reentrancy issue. However, the same issue is introduced in the newly introduced CurveLPOracleV2 contract, which was not part of the audit scope,” Peckshield wrote.
About an hour after the initial report on the attack, Conic Finance also said it disabled ETH Omnipool deposits on the Conic front end.
“Followed with Conic on this one. Issue was identified, only ETH omnipool is affected there,” Curve Finance subsequently wrote.
DeFi hacks are not new to the industry. According to a report by Web3 portfolio app De.Fi, DeFi hacks and scams allowed hackers to steal more than $204 million in the second quarter of 2023 alone. The losses from DeFi hacks and scams were actually smaller in Q2 than in Q1, though, with CertiK reporting that over $320 million was lost from January to March.