Key takeaways:
- An Ethereum omnipool vulnerability has been discovered at Conic Finance.
- The attacker borrowed 20,000 staked ETH in a flash loan and sent it to Conic’s price oracle to enable the exploit.
An Ethereum omnipool vulnerability has been discovered at Conic Finance, a platform for balancing liquidity pools for the Curve decentralized finance (DeFi) protocol.
According to the Web3 risk-alert site Beosin Alert, Conic Finance was taken advantage of for $3.26 million in ether on July 21. Beosin’s research shows that almost all of the stolen crypto was transferred to a fresh Ethereum address in a single transaction.
Conic Finance, known for leveraging liquidity pools to distribute funds through the Curve decentralized exchange, was the victim of a two-pronged attack involving a price oracle’s vulnerability and manipulation.
In this particular case, the attacker borrowed 20,000 staked ETH in a flash loan and sent it to Conic’s price oracle to enable the exploit. The flaw was used in conjunction with a modification of Conic’s price oracle, which gets its information via a read-only smart contract owned by a different party.
According to the preliminary investigation offered by the blockchain security company Peckshield, the new CurveLPOracleV2 contract was the primary culprit. Peckshield stated:
“Our audit identifies a similar read-only reentrancy issue. However, the same issue is introduced in the newly introduced CurveLPOracleV2 contract, which was not part of the audit scope,”
Conic swiftly informed users through Twitter of the attack involving the ETH Omnipool, released on July 10, and solely affecting ETH pools. Additionally, the platform reportedly prevented ETH Omnipool deposits on the Conic front end, according to Conic Finance. Conic informed its community in a tweet:
“We are currently investigating an exploit involving the ETH Omnipool and will share updates as soon as they are available.”
On July 21, Binance CEO Changpeng Zhao “CZ” posted a warning against phishing and other social engineering frauds on Twitter. Additionally, he advised cryptocurrency exchange customers to use hardware devices rather than, for instance, cell carrier-based two-factor authentication (2FA).
In the industry, DeFi hacks are nothing new. After its primary marketplace was compromised, Ethscriptions experienced a severe setback. Ethscriptions’ developer, Tom Lehman, announced the hack a few days ago on Twitter, noting that 202 Ethscriptions had been taken as a result of the attack. Once the necessary protocol changes have been made, the company intends to restart the Ethscriptions marketplace.