Decentralized finance (DeFi) protocol Conic Finance has lost over $3.2 million worth of ether (ETH) in two separate hacking incidents in recent days.
The first attack, which took place on Friday last week, was described by the Conic Finance team as a “re-entrancy attack” that exploited a vulnerability in the Curve V2 pool, giving the attacker 1,700 ETH tokens.
“The solution for the affected contract is being deployed,” the team wrote.
The team reassured the community that the exploit “cannot be replicated” for the same omnipool, and that “no other Conic omnipools are affected by this issue.”
However, a few hours later, the team reported again that they had encountered an exploit, this time with roughly $300,000 worth of crvUSD tokens wiped from the omnipool.
“In response to this and in light of today’s ETH exploit, we immediately implemented maximum security measures and temporarily closed all Omnipools,” said a new tweet from Conic Finance.
The team emphasized that the second attack was “unrelated to the ETH Omnipool re-entry exploit.”
‘extremely difficult’ two days
In a postmortem update published after the two attacks, the Conic Finance team acknowledged that the past two days have been “extremely difficult”.
“We are devastated by this situation and will do everything in our power to recover the stolen funds,” the team said.
A post-mortem update placed some of the blame for both attacks on Curve, with the second incident saying the vulnerability occurred due to interactions with an “imbalanced Curve pool”.
Curve is a decentralized exchange (DEX) for stablecoins that uses the Automated Market Maker (AMM) model to manage liquidity.
“While we had some mechanisms in place to ensure that we did not interact with unbalanced Curve pools, the limits we set were not strict enough and allowed the attacker to slowly drain funds from the pool,” the team wrote.
Despite this, the update also stated that Curve’s team members “deserve recognition for their enormous help and support.”
Conic Finance is a relatively new DeFi project, and the protocol’s token, CNC, is currently only listed on MEXC and CoinX, in addition to a few decentralized exchanges.
Data from CoinGecko shows that at press time on Monday, CNC Token is down 45% over the past 7 days.