Conic Finance lost $3.2 million due to oracle manipulation


The attacker hacked the Conic Finance DeFi protocol, which is focused on the Curve platform. He withdrew about 1700 ETH (~$3.26 million).

Data: Twitter.

According to analysts at Beosin, a hacker exploited the re-entry vulnerability by gaining access to the protocol’s price oracle to manipulate the prices of steCRV, cbETH/ETH-f, rETH-f tokens and others.

This allowed the cracker to withdraw more liquidity tokens than he deposited. The perpetrator also borrowed 20,000 stETH to increase his income.

According to Conic, the exploit only affected the Omnipool pool on the Ethereum network. The protocol team is currently investigating the details of the incident.

According to PeckShield, CurveLPOracleV2 became the main attack contract. Analysts emphasized that this component was not part of their audit.

Recall that in July, a hacker withdrew 810.1 ETH (~$1.5 million at the time of the attack) from the Rodeo Finance DeFi protocol on the Arbitrum network by manipulating the oracle.

In the same month, Arcadia Finance was hacked for $455,000. According to PeckShield, the code allegedly lacked a mechanism for cross-analysis of unconfirmed inputs.

Earlier, Beosin experts reported that in the first half of 2023, the digital asset sector lost about $655.6 million as a result of hacker attacks, fraud and rug pull.

Found a mistake in the text? Select it and press CTRL+ENTER

ForkLog Newsletters: Keep your finger on the pulse of the bitcoin industry!


Leave a Reply