The decentralized finance (DeFi) protocol Conic Finance has lost more than $3.2 million worth of Ether (ETH) in two separate hacking incidents in recent days.
The first attack, which happened on Friday last week, was described by the Conic Finance team as a “re-entrancy attack” that exploited a vulnerability in Curve V2 pools, earning the attacker 1,700 ETH tokens.
“A fix to the affected contract is being deployed,” the team wrote.
The team went on to assure the community that the exploit “cannot be done again” for the same Omnipool, and said that “no other Conic Omnipools are affected by this issue.”
Second attack
A few hours later, however, the team again reported that they had suffered an exploit, this time draining approximately $300,000 worth of tokens from the crvUSD Omnipool.
“In response to this and given today’s ETH exploit, we immediately enforced maximum safety measures and temporarily shutdown all Omnipools,” a new tweet from Conic Finance said.
The team stressed that the second attack was “unrelated to the ETH Omnipool’s re-entrancy exploit.”
‘Extremely difficult’ two days
In a post-mortem update published after the two attacks, the Conic Finance team admitted that the past two days have been “extremely difficult.”
“We feel devastated by this situation and will do everything in our power to recover the stolen funds,” the team said.
The post-mortem update appeared to place part of the blame for both of the attacks on Curve, saying about the second incident that interaction with “imbalanced Curve pools” caused the vulnerability.
Curve is a decentralized exchange (DEX) for stablecoins that uses the automated market maker (AMM) model to manage liquidity.
“While we did have some mechanism in place to ensure we did not interact with imbalanced Curve pools, the bounds that we had set were not tight enough and allowed the attacker to slowly drain funds from the pool,” the team wrote.
Despite this, the update also said that Curve’s team members “deserve recognition for their massive help and support.”
Conic Finance is a relatively new DeFi project, and the protocol’s token, CNC, is for now only listed on MEXC and CoinEx in addition to a few decentralized exchanges.
As of press time on Monday, the CNC token was down by 45% over the past 7 days, data from CoinGecko showed.
Read the full article here