Decentralized finance (DeFi) protocol Conic Finance has lost more than $3.2 million worth of Ether (ETH) in two separate hacking incidents over the past few days.
The first attack, which took place on Friday last week, was described by the Conic Finance team as a “re-entrancy attack” that exploited a vulnerability in the Curve V2 pools, earning the attacker 1,700 ETH tokens.
“A fix to the affected contract has been implemented,” the team wrote.
The team assured the community that the exploit “cannot be done again” for the same Omnipool, and said that “no other Conic Omnipools are affected by this issue.”
Second attack
A few hours later, however, the team again claimed they suffered an exploit, this time draining around $300,000 worth of tokens from the crvUSD Omnipool.
“In response to this and given today’s ETH exploit, we immediately enforced maximum security measures and temporarily closed all Omnipools,” said a new tweet from Conic Finance.
The team stressed that the second attack was “unrelated to the ETH Omnipool reentry exploit.”
“Extremely difficult” two days
In a post-mortem update published after the two attacks, the Conic Finance team admitted that the last two days had been “extremely difficult”.
“We feel devastated by this situation and will do everything in our power to recover the stolen funds,” the team said.
The post-mortem update appeared to place some of the blame for both attacks on Curve, saying on the second incident that interaction with “unbalanced Curve pools” caused the vulnerability.
Curve is a decentralized exchange (DEX) for stablecoins that uses the automated market maker (AMM) model to manage liquidity.
“While we had some mechanisms in place to make sure we didn’t interact with unbalanced Curve pools, the limits we set weren’t tight enough and would allow an attacker to slowly drain funds from the pool,” the team wrote.
Despite this, the update also said that the members of the Curve team “deserve recognition for their massive help and support”.
Conic Finance is a relatively new DeFi project, and the protocol token, CNC, is currently only listed on MEXC and CoinEx in addition to a few decentralized exchanges.
As of press time on Monday, the CNC token has declined by 45% in the last 7 days, CoinGecko data shows.