Velocore, a decentralized exchange that operates on the Telos, zkSync Era and Linea blockchains, was exploited for approximately $6.8 million in tokens last night through a vulnerability in the smart contract that controls its liquidity pool.
Hackers were able to exploit a vulnerability in the overflow logic to trick Velocore into turning small withdrawals into large deposits. With the help of flash loans, hackers were able to deplete Velocore’s “volatile pool” on zkSync Era and Linea, while the team was able to secure its assets on Telos. The “stable pool” was not affected.
“Despite being audited multiple times and implementing preventative features to ensure security, an unexpected incident occurred quickly,” Velocor said in a post-mortem investigation. “We are deeply saddened and sincerely apologize to our users who trusted us.” He said. Velocore also disables the logic flaw used in the exploit, eliminating the possibility of a copycat attack.
The incident led the Linea Ethereum Layer 2 network, built by ConsenSys, to temporarily pause block production in failed attempts to mitigate losses from the attack.
“Because other methods of handling this exploit were closed, our team shut down the sequencer to prevent further fund leaks. This was a last resort measure to protect Linea’s users,” the protocol wrote to X. Linea said the goal is ultimately to: The protocol defended its decision to stop the chain, distancing the team from the ability to stop the network after significant decentralization occurred. “Most L2s, including Linea, still rely on centralized technology operations that can be leveraged to protect ecosystem participants. Linea’s core value is a permissionless, censorship-resistant environment, so this is not a decision we took lightly,” the protocol said. wrote:
Velocore contacted the hackers and sent them a message offering a 10% white hat bounty if they returned the remaining funds by 8:00 UTC on June 3. The hacker has since deposited about 1700 eth, worth about $7 million, into cryptocurrency mixer Tornado Cash, although the hacker has not yet responded. In its post-event investigation, Velocor promised, “For those affected, we have taken a snapshot of the state of the blockchain prior to the incident. Once operations resume, we will implement an appropriate compensation plan to address any losses suffered by users.”
Disclaimer: The Block is an independent media outlet delivering news, research and data. As of November 2023, Foresight Ventures is a majority investor in The Block. Foresight Ventures invests in other companies in the cryptocurrency space. Cryptocurrency exchange Bitget is an anchor LP of Foresight Ventures. The Block continues to operate independently to provide objective, impactful and timely information about the cryptocurrency industry. Below are our current financial disclosures.
© 2023 The Block. All rights reserved. This article is provided for informational purposes only. It is not provided or intended to be used as legal, tax, investment, financial or other advice.