Conic Finance Read-Only Reentrancy

On July 21, 2023, the Curve-Omnipool platform Conic Finance lost 1,724 ETH (~$3.2 million) to a read-only reentrancy exploit. The protocol had reentrancy guards in place — but they relied on an incorrect assumption about how Curve v2 ETH pools represent ETH internally, letting the attacker slip past the guard entirely.

What happened

Conic's ETH Omnipool aggregated user deposits across multiple Curve liquidity pools to maximise yield. To value the deposited LP tokens, Conic used its CurveLPOracleV2 contract — a newly deployed oracle that read the underlying Curve pools to compute fair value.

The reentrancy guard in the oracle was conditional on an _isETH() method that returned true if one of the pool's coins was the canonical ETH address (0xeeeeeeee...eeeeeeee). For pools matching this check, the contract would acquire a reentrancy lock before reading state. For pools not matching, it would skip the lock.

The fatal mistake: Curve v2 pools that hold ETH use the WETH address internally, not the canonical ETH address. The _isETH() method returned false for these pools, and the contract proceeded without the reentrancy lock.

The attack:

1. Flash-borrowed 20,000 stETH.
2. Initiated a series of swaps through the rETH Curve pool that put it in a partial-execution state.
3. Mid-execution — while the rETH pool was internally inconsistent — called Conic's oracle to read rETH LP token price.
4. The oracle, without the reentrancy guard, read the manipulated mid-swap state and returned an incorrect (inflated) price for rETH LP tokens.
5. Deposited and withdrew Conic positions at the inflated rate, minting nearly double the cncETH tokens for the same deposit value.
6. Looped the operation, drained funds from the Omnipool, repaid the flash loan.

Net theft: 1,724 ETH (~$3.2M).

Aftermath

• Conic paused the Omnipool and published a detailed post-mortem.
• The team announced a compensation plan funded from protocol revenue.
• The CurveLPOracleV2 was patched to use the correct WETH-aware reentrancy logic.
• The exploit revealed that audit scope had not included CurveLPOracleV2 — the contract was deployed after the most recent audit and the same reentrancy issue had been previously identified and fixed in earlier oracle versions, but reintroduced when V2 was written.

Why it matters

Conic Finance's incident is a textbook case for two compounding failure modes:

1. Read-only reentrancy is harder to spot than write-reentrancy. Most reentrancy education focuses on attacks that mutate state during the re-entry — checks-effects-interactions guards specifically against this. Read-only reentrancy — where the re-entered function only reads state, but that state is mid-mutation — slips past intuitive analysis because "we're just reading" feels safe. Curve v1's remove_liquidity is a particularly fertile source of read-only reentrancy bugs that subsequent oracle integrations recurringly miss.

2. Patched bugs re-emerge in new code. Conic's earlier oracle had been audited and patched against the same reentrancy class; the V2 oracle, written from scratch by the same team, reintroduced the bug because it was not part of the audit scope. The pattern recurs everywhere a team ships a "v2 rewrite" of a contract that had been hardened in v1 — institutional knowledge about specific known vulnerabilities does not always transfer through the rewrite.

The defensive answer is consistent: every oracle integration that reads from another protocol's state must explicitly handle that protocol's known reentrancy surface, and any rewrite of a previously-audited contract must include re-audit of the specific bug class the original fix addressed. Conic's $3.2M is the price of skipping these steps.