Conic Finance loses $3.2 million to oracle manipulation

An attacker hacked the DeFi protocol Conic Finance, oriented toward the Curve platform. They withdrew around 1,700 ETH (~$3.26 million).

According to Beosin analysts, the hacker exploited a re-entry vulnerability, gaining access to the protocol’s price oracle to manipulate the prices of steCRV, cbETH/ETH-f, rETH-f and others.

This allowed the attacker to withdraw more liquidity tokens than they deposited. The attacker also borrowed 20,000 stETH to increase profits.

According to Conic representatives, the exploit affected only the Omnipool on the Ethereum network. The protocol team is currently investigating the incident.

According to PeckShield, the main contract used in the attack was CurveLPOracleV2. Analysts noted that this component was not included in the audit they conducted.

Earlier in July, the hacker withdrew 810.1 ETH (~$1.5 million at the time of the attack) from the Rodeo Finance DeFi protocol on the Arbitrum network through oracle manipulation.

In the same month, Arcadia Finance was hacked for $455,000. According to PeckShield, the code reportedly lacked a mechanism for cross-checking unverified inputs.

Earlier Beosin analysts said that in the first half of 2023 the digital asset sector lost about $655.6 million due to hacks, fraud and rug pull.