Conic Finance Users Flee After Hackers Steal $4M

Conic Finance, a protocol offering diversified exposure to liquidity pools on Curve, a popular DEX, has lost two-thirds of its deposits since suffering two exploits late last week.

In a July 23 post-mortem, the team said it lost $4.1M in two separate attacks targeting its pools two days earlier. The incidents shook investor confidence in Conic, with its total value locked crashing 72% from $157M on July 21 to $43M. Its native token, CNC, is also down 57% over the same period.

Deposits on Conic remain disabled, with the team stating it wants to “address all security issues carefully” before allowing new capital inflows. Users can make withdrawals, and existing liquidity providers continue to earn yield as usual.

The incident serves as a reminder of the risk-to-reward trade-off for DeFi farmers chasing yields. While protocols like Conic may offer boosted rewards compared to simply depositing assets on battle-tested protocols like Curve Finance, the extra yield comes with increasing smart contract complexity and thus opportunities for hackers to identify and exploit attack vectors.

Novel Omnipools

Conic’s Omnipools spread users’ deposits across multiple Curve pools, and stake the corresponding LP tokens on Convex Finance to earn additional yield. Users receive rewards in the form of Curve’s CRV, Convex’s CVX, and Conic’s CNC tokens, in addition to trading fees on Curve. The protocol went live in March.

Conic said it was contacted by Hexagate, a web3 threat intelligence company, on July 21 after the firm identified early signs of a possible exploit targeting Conic’s ETH Omnipool using a reentrancy attack.

A reentrancy attack is a malicious maneuver in which an attacker repeatedly calls a function within a smart contract before its previous function call is completed, exploiting the contract's logic to drain funds or manipulate data.

The hacker was able to manipulate the price of the rETH Curve LP token on Conic, allowing them to mint more cncETH LP tokens than their rETH collateral should have allowed.

“They were able to run this attack in a loop, depositing and withdrawing at a positive exchange rate to drain funds from the Omnipool,” Conic said. The attack resulted in a $3.2M loss for the protocol.

Conic said although it has safeguards protecting against reentrancy attacks in place, the attack took advantage of a false technical assumption regarding Curve v2 pools in its code.

Conic was later alerted to suspicious transactions targeting its crvUSD Omnipool, prompting the team to shut down all of its Omnipools after identifying an 11 ETH loss to a complex sandwich attack. Roughly $934,000 was stolen from the crvUSD Omnipool in total, netting around $300,000 in profits for the attacker.