How Conic Finance drew $26m in just three days after losing millions over the summer

Multi-million dollar hacks can be a death knell for DeFi projects.

Conic Finance, however, has bucked that trend.

In just three days, the liquidity protocol has already raked in a cool $26 million after falling to a $3.2 million exploit last summer.

It’s still much lower than its peak of $157 million just before last year’s hack, but proponents, including Curve founder Michael Egorov, say the protocol is moving in the right direction – including promising to pay back users affected by the hack.

New label, same brand

Launched on January 31, Conic v2 was built to be more secure than its predecessor, according to pseudonymous Conic Finance core contributor bb8.

“The Conic v2 implementation includes features such as flash loan restrictions and guardians which address the previously found vulnerabilities, while also adding additional layers of security,” bb8 told DL News.

The DeFi protocol allows liquidity providers on Curve Finance to earn yield from diverse liquidity pools on the stablecoin exchange.

A flash loan re-entrancy attack downed Conic’s first iteration. A flash loan does not require the debtor to put up collateral as long the loan position is repaid within the same blockchain transaction.

A flash loan isn’t inherently malicious. It can also be used to obtain trading capital to profit off temporary arbitrage opportunities — situations where the price of a crypto token differs in two marketplaces.

However, malicious actors, like the one who attacked Conic last summer, can use flash loans to fund their attacks in a protocol’s smart contract code to steal funds.

Last year’s attack

In Conic’s case, the exploiter used a flash loan to launch a re-entrancy attack.

This kind of attack tricks a DeFi protocol into accepting commands from an external contract with malicious codes and enables an attacker to steal funds.

While the attack cost the protocol $3.2 million in losses, the attacker only profited $300,000, per Conic’s post-mortem.

Several DeFi protocols lost $61 million when hackers used similar re-entrancy attacks to exploit bugs in the coding of several Curve pools. Curve Finance itself lost over $47 million to that incident.

Even the infamous DAO hack of 2016 that led to the loss of $60 million and a major schism in Ethereum’s early community was due to a re-entrancy vulnerability.

More auditing

For Conic, the vulnerability was present in a newly deployed Ether omnipool at the time. Blockchain security firm PeckShield, Conic’s previous auditor, said the smart contract for the pool was not part of its audit scope at the time.

Conic has new auditors this time around and claims its contracts are more secure than ever.

“Conic v2 underwent rigorous auditing from two of the most reputable auditing firms in the industry — ChainSecurity and MixBytes,” bb8 said.

Curve founder Michael Egorov also commented on the audits via X, formerly Twitter, saying the protocol’s code has been “deeply reworked for safety and received excellent audits.”

Egorov invested $1 million into the protocol after last summer’s hack.

MixBytes, one of the auditors, told DL News it carefully reviewed the patches made to Conic’s past vulnerabilities.

“Our audit team tested this attack vector for the Conic v2 and verified that the error was corrected,” a MixBytes representative said.

However, more audits do not always mean better security. Re-entrancy vulnerabilities can be difficult to spot, even in comprehensive code audits, especially for protocols with a large codebase.

The Conic attack was a read-only re-entrancy exploit, a new twist on the re-entrancy problem, which was even more difficult to detect, Nikita Kirilov, a researcher at blockchain security company Pessimistic, previously told DL News.

Unlike typical re-entrancy bugs, this kind does not change the smart contract’s target function. Instead, it tricks it into assuming an incorrect state for the hacker’s benefit, making it even more imperceptible to the protocol’s defences.

ChainSecurity, the other auditing firm used by Conic, also confirmed that this variety of re-entrancy is a novel twist on the old re-entrancy class of smart contract vulnerability.

Emilie Raffo, founding partner and head of sales at ChainSecurity told DL News that ChainSecurity was the first to discover this new form of the problem and said the company had “extensive working knowledge of it.”

“On the Conic audit specifically, it is important to note that security audits are time-boxed and cannot uncover all vulnerabilities,” Raffo told DL News. “This being said, we have determined that the Conic codebase we have reviewed provides a high level of security.”

Bigger and better

Apart from being more secure, the Conic team also says v2 improves the yield-earning potential for users.

Built on top of Curve, Conic’s previous version allowed liquidity providers on Curve to diversify their exposure to Curve’s many pools and earn rewards on Convex.

In v2, Conic has expanded this model with what it calls liquidity allocation modules, or LAMs. These LAMs allow users to allocate their liquidity to other protocols, upscaling their yield potential.

Disclaimer: The two co-founders of DL News were previously core contributors to the Curve protocol.

Osato Avan-Nomayo is our Nigeria-based DeFi correspondent. He covers DeFi and tech. To share tips or information about stories, please contact him at osato@dlnews.com.