Attacks in the world of DeFi continue unabated, with yet another one added to the list. Today, the DeFi protocol Conic Finance fell victim to a common attack. The hacker who attacked the protocol took advantage of a vulnerability, exploiting a loophole worth 1,700 ETH, equivalent to approximately $3.2 million. Security analysts at BlockSec have investigated the attack.
Conic is known as a DeFi protocol that allows users to distribute funds on the decentralized exchange Curve. Utilizing the liquidity pools offered by Curve, Conic has gained significant popularity recently. The unidentified attacker took advantage of a vulnerability called “reentrancy” to manipulate the faulty price data provided by the oracle that Conic relies on. This created a significant vulnerability, allowing funds to be drained.
Matthew Jiang, a security expert at BlockSec, emphasized that this was done through the use of the “call” function in the smart contract within a single transaction. To achieve this, the second function is called before the first function is executed, deceiving the system. Through this mechanism, the attacker can receive significantly more funds than they should.
The Conic Finance team issued a warning regarding the incident. The statement highlighted the impact on the ETH Omnipool and emphasized that an update would be shared. The Conic Finance team also clarified that this issue is limited to the ETH pool only. Other assets based on the Ethereum network are not affected.
It is noted that the attacker used a technique called flash loan, borrowing 20,000 ETH and emptying the pool after manipulating Conic‘s price data. Similar attacks have targeted many other DeFi protocols, and the fact that there are still many protocols unable to close this vulnerability is a cause for concern.
As a result of this news, Conic Finance’s native cryptocurrency experienced a 28% drop, falling to $4. The actions the Conic team will take in response to this attack will be revealed in the coming hours.