Governments are creating rules and establishing an anti-crime task force to tackle scams related to crypto and protect investors and firms from ransomware crimes. Recently, Conic Finance, a DeFi protocol managed by the curve decentralized exchange used to allocate funds around the liquidity pools, experienced a significant exploit on July 21, 2023.
The hacker stole 1700 Ethereum, worth around $3.2 million, according to security analysts at BlockSec. The attack was made possible through a reentrancy vulnerability in the system, allowing the hacker to manipulate a faulty price oracle used by Conic.
The attacker’s strategy involved repeatedly calling a function within a single transaction before the initial call could complete, enabling them to withdraw more funds than they were entitled to. To carry out the attack, the hacker executed a flash loan, borrowing 20,000 staked Ether, and then tampered with Conic’s price oracle sourced from a third-party “read-only” smart contract.
Using this flash-loaned staked Ether, the attacker amplified their profits through the reentrancy attack. Around 6:35 a.m. ET, the event was reported, and BlockSec’s Director of Security Services, Matthew Jiang, gave details on the attack in an interview.
Conic Finance kept its community informed by announcing the ongoing investigation into the exploit involving the ETH Omnipool through a Twitter post and promised to share further updates.
A similar incident occurred on June 12, 2023, where a lending protocol named Sturdy Finance lost 442.6 Ether, worth around $768,000, due to a reentrancy attack. The attacker manipulated prices and made illegal withdrawals of funds by exploiting a malfunctioning price oracle.
Price oracles are essential in DeFi, but hackers may try to compromise them. To prevent such attacks, awareness and security measures are crucial, and the government is also participating to prevent such incidents.