Conic Finance: Read-only reentrancy in CurveLPOracleV2 (ETH/WETH mismatch bypassed reentrancy guard) + sandwich attack on imbalanced pool

Summary #

Conic Finance suffered a Yield Aggregator / Curve Liquidity Manager (Omnipool) on 2023-07-21, resulting in a loss of approximately $4M.

What happened #

Conic Finance was hit twice on the same day for $4.2M — the first via a read-only reentrancy bug that an auditor had already identified in a different contract, but which reappeared in a newly deployed oracle not in the audit scope.

Linked factors #

• RD-F-001 — causal : ★ Audit scope mismatch — alternate field name [via dashboard_risk_factors/Exploited code in scope?: No — CurveLPOracleV2 was not part of the audit scope] || ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
• RD-F-004 — causal : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited (new contract out of scope); audit had flagged the same class of bug in a different contract]
• RD-F-006 — causal : Audit-deploy gap — alternate field name [via dashboard_risk_factors/Code newly deployed/upgraded?: Yes — CurveLPOracleV2 was a new contract deployed shortly before the hack]
• RD-F-050 — causal : Dependency graph [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
• RD-F-052 — related : Breakage analysis [via cross-hack: Factor 6: Cross-Protocol / Composability Complexity]
• RD-F-099 — illustrative : Oracle price deviation > X% from secondary source — RT signal would have fired [via realtime_signals/Oracle anomaly (Y/N): Y — rETH Curve LP token price manipulation is detectable as an oracle anomaly]
• RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing (Y/N): Y — 20K stETH flash loan]