Post Mortem — ETH and crvUSD Omnipool Exploits

The past 48 hours have been extremely difficult for the Conic community and the core team. Nonetheless, it has been nothing but incredible to see the support that we have received during this time and how the Conic community has stood together.

As we have identified the root causes of the exploits, our focus is now on the attackers. Investigations into the attackers’ addresses have already begun. We will, through any means necessary, attempt to make contact and negotiate with them. We feel devastated by this situation and will do everything in our power to recover the stolen funds.

As an extreme safety measure, all deposits have been disabled for the existing Omnipools. Withdrawals are safe and existing LPs continue to earn yield normally. However, we want to address all security issues carefully before allowing new capital inflows. Funds currently held by Omnipools are not at risk from any of the aforementioned vulnerabilities and continue to generate yield normally.

We provide a detailed description of both exploits below.

ETH Omnipool exploit

Yesterday at 10:51am UTC, the Conic core team was contacted by Hexagate, a web3 threat intelligence company, informing team members of early detection alerts for an exploit of the ETH Omnipool.

The exploit transaction, which stole $3.2m worth of WETH from the Conic ETH Omnipool, can be found here: https://etherscan.io/tx/0x8b74995d1d61d3d7547575649136b8765acb22882960f0636941c44ec7bbe146

The malicious contract used for the exploit: 0x743599BA5CfA3cE8c59691aF5ef279AaaFA2E4EB

The address of the account executing the exploit: 0x8D67db0b205E32A5Dd96145F022Fa18Aae7DC8Aa

The core team immediately started to investigate the exploit and learned that it was a read-only reentrancy vulnerability that was exploited. However, it first remained unclear how a reentrant function call could be made via the Conic ETH pool, as there are reentrancy guards in place.

What followed was a careful review together with the Curve team of the most critical Conic functions that were called by the transaction. Ultimately, it was found that the root cause of the exploit was a wrong assumption about what address is being returned by the Curve Meta Registry for ETH as the underlying of a Curve v2 pool.

Specifically, the Conic ETH Omnipool uses the `CurveHandlerV3` to check whether we are currently in a reentrant call. This check was only executed if the pool being interacted with contains ETH, which was checked by calling the `_isETH` method. Our assumption was that Curve v2 pools using ETH have the ETH address (0xeee…eee) as one of their coins. However, they instead have the WETH address. This led to `_isETH` returning false, and in turn, to the reentrancy guard of the rETH pool being bypassed.

Bypassing this reentrancy check allowed the attacker to manipulate the price of the rETH Curve LP token. Which they then used to trick the ETH Omnipool into minting them more cncETH LP tokens than it should for their deposits. They were able to run this attack in a loop, depositing and withdrawing at a positive exchange rate to drain funds from the Omnipool.

crvUSD Omnipool exploit

At 19:08 UTC, we were made aware of suspicious transactions targeting the crvUSD Omnipool. After identifying a transaction that managed to drain over 11 ETH in profit from the pool, we instantly started to respond. Given the earlier exploit of the ETH pool, we did not want to take any chances and instantly shutdown all Omnipools, starting with the crvUSD pool at 19:23 UTC, meaning that deposits would be disabled and the existing looping attack would stop.

After carefully examining the exploit, we were able to identify the attack as a variant of a sandwich attack targeting our pools. The attack followed the following steps:

1. Exchange crvUSD to USDC in the Curve pool
2. Deposit crvUSD into Conic
3. Exchange USDC to crvUSD in the Curve pool
4. Withdraw from Conic
5. Repeat steps above

The attacker would benefit from the exchanges in the Curve pool by exchanging at a favorable rate. While we did have some mechanism in place to ensure we did not interact with imbalanced Curve pools, the bounds that we had set were not tight enough and allowed the attacker to slowly drain funds from the pool.

A total of approx. $934,000 was stolen from the crvUSD Omnipool, giving the attacker a profit of approx. $300,000.

Below is a full list of transactions attacking the crvUSD pool:

0x37acd17a80a5f95728459bfea85cb2e1f64b4c75cf4a4c8dcb61964e26860882

0x64910b0a07083119403ce1bb30c94503e99e44c334bdb68f3afea09c834bdd9f

0x3af57106166b8568a0ace8d0741cf05355d74d7e7e173f1bab7a4434c6f0ed80

0xcf484ced351166dee819fcf2417e7df6ac826ac6af53c676e28f6bc96f5bcdbd

0x680b7d4947068647b1360904581c843fe6b477e55fe64ece6ef4b733aee12c8f

0x69029760e5907a7a82c9ac008602f6cc719f1e64bf7912c1148bb6dce10cea41

0xad596a612492bc640eca76afd03a03aed9ad91cf98f226624a9d8829e35e9308

0xa267ece5e1321e4a51c2a03fb9592e73f79cc13ddc60d8bd7dafd6daf491d7fa

0xe7f54acd58bea522f9aac5d18f8765a96a2b41d1aa620f9df5e084e113976080

0x050dec294956f9a036565be9b2c1cfb4e7c74fcdeaed4ae8ef42f42cca17e32c

0xde8e5f61c89d3f488e97dad680d314a347fefa3e55eb00221b70527a7d44cea8

0xc08bfee8653bdb715144f98bc014eecbab6cf92ddaba16b836f3889fd850a862

Final words

The Core team would like to express their deepest gratitude for the Conic community who showed unwavering support through all of this. Furthermore, the Curve team and Hexagate deserve recognition for their massive help and support. A big thank you also goes out to the `curve_monitor_backup` Telegram bot, which was the first to report suspicious transactions linked to the crvUSD exploit. If Conic LPs have any questions or concerns, please do not hesitate to contact members of the Conic team either on Discord or Telegram.

We will share an update on the Conic roadmap in the coming days.