DeFi protocol Conic Finance confirmed that it was exploited via a reentrancy attack earlier today for an undisclosed sum.
A reentrancy attack allows an attacker to drain funds of a vulnerable contract by repeatedly calling the withdraw function before it updates its balance. This attack has been commonly used to exploit several DeFi protocols.
Conic Finance stated that it initially disabled the front end of its Omnipool Ethereum deposits, adding that it has initiated a fix to the affected contract.
“The root cause was a re-entrancy attack that was able to be performed because of a wrong assumption as to what address is returned by the Curve Meta Registry for ETH in Curve V2 pools.”
Curve Finance also added that only the ETH Omnipool was affected.
According to its website, Conic Finance allows liquidity providers to diversify their exposure to multiple Curve pools easily. Any user can provide liquidity into a Conic Omnipool, which allocates funds across Curve in proportion to protocol-controlled pool weights.
Conic Finance did not respond to CryptoSlate’s request for additional commentary as of press time.
Decurity noted that the exploiter was active yesterday and performed a series of small hacks before attacking the CNCETH pool today. They also tried an unsuccessful transaction 10 minutes before successfully exploiting Conic Finance.
BlockSec corroborated the report, noting that the hacker was labeled as the Lady Pepe Exploiter by MetaDock.
This exploit continues a relatively busy month for hackers targeting crypto projects. Data from DeFillama shows that over $100 million in digital assets have been stolen from several protocols, including the cross-chain bridge Multichain (MULTI).
The post Conic Finance loses $3.2M to reentrancy attack on ETH Omnipool appeared first on CryptoSlate.