July 21, 2023: Conic Finance Hacked 🌌💥
1724 ETH drained in flashloan targeting reentrancy vulnerability
Sad news from our frens at Conic Finance. Their recently launched ETH omnipool got hacked, leading to $3MM worth of ETH getting drained in short order.
It started about four hours ago, when a flashloan exploit was detected.
The team jumped quickly to make announcements and investigate. As a precaution, they swiftly disabled deposits.
Fortunately the ETH omnipool was only recently launched and didn’t have much liquidity relative to Conic’s other omnipools. The $crvUSD omnipool, for instance, had accumulated $53MM in a few short weeks. The ETH omnipool looked promising, but it was only about $3MM in liquidity at the time.
Still, with everything so unclear, a lot of liquidity fled in the moment. Understandable, just in case anything went wrong, but the gas intensive contracts mean this is a prohibitive step for LPs to take.
Traders pummeled the $CNC token accordingly.
Fortunately, it was confirmed that the issue was isolated to Conic’s ETH omnipool, limiting any possible contagion to the rest of the protocol.
The team worked quickly to communicate the issue and deploy a fix.
The root of the issue is that the Conic Finance contract was pinging the Curve meta-registry to see if the pool used Ethereum, to determine if the pool needed reentrancy protection. Unfortunately, the metaregistry would return the “WETH” address where Conic assumed it would return the placeholder “ETH” address, and the reentrancy protection was not triggered.
Hence, the reentrancy.
PeckShield was quick to point out this was outside the scope of their audit.
Even if it was in the scope, it may have been tricky to catch.
This hack hit particularly close to home, as we had them on just last week for a written llama party, in which we discussed the new ETH omnipool.
They remain some of the best builders in the space, and we all wish them a speedy recovery!
