Conic Finance has acknowledged the security breach of its ETH Omnipool. In a recent Twitter update, the protocol informed users about the incident and assured that a thorough investigation is underway.
After the exploit, approximately 1700 ETH worth around $3.3 million was stolen. However, according to the protocol, the attack only affected the ETH Omnipools. Conic Finance swiftly responded by disabling ETH Omnipool deposits on their frontend.
Within hours of discovering the exploit, the protocol determined that the root cause was a re-entrancy attack resulting from an incorrect assumption about the address returned by the Curve Meta Registry for ETH in Curve V2 pools.
Specifically, Conic reached out to the Curve meta-registry to check if reentrancy protection was necessary. Unfortunately, this inadvertently disabled ETH reentrancy protection when the registry returned the WETH address instead of ETH.
Moreso, Peckshield, a blockchain security and analysis firm, stated that the root cause was from the new CurveLPOracleV2 contract. Adding to their audit, “shows a similar read-only reentrancy issue. However, the same issue is introduced in the newly introduced CurveLPOracleV2 contract, which was not part of the audit scope.”
Conic Finance assured users it has deployed a fix to the affected contract, adding that “the exploit cannot be done again for the ETH Omnipool.” Also, users are to note that withdrawals are safe, Conic Finance said.
Furthermore, Conic reached out to the exploiter via a TX sent from the official Conic Multisig address. The protocol warns that other txs with claims to recover funds on behalf of Conic are fraudulent.
Before the Conic Finance exploit, the protocol had a reason to celebrate: the ETH Omnipool surpassed $1 million in Total Value Locked (TVL).
According to a H1 2023 report by Peckshield, the total value of laundered stolen crypto funds amounted to $244.5 million. Notably, around 31,350 $ETH and 39,000 $BNB of the stolen funds were laundered using TornadoCash. However, compared to H1 2022, there was a significant decrease of 91% and 31.3% respectively.
Read Also;
2 years after founder’s exit, Bundle announces cessation
What do you think of this article? Share comments below.
