Decentralized exchange Velocore addresses $7 million hack in postmortem, offers bounty to hacker
Quick Take
- Decentralized exchange Velocore was hacked for around $7 million in tokens last night when a user exploited a vulnerability in the logic governing the exchange’s smart contracts.
- The hack led the Linea blockchain team to halt block production, which has since resumed.
- Velocore has offered a 10% bug bounty to the hacker, who has yet to respond.
Decentralized exchange Velocore, which operates on the Telos, zkSync Era, and Linea blockchains, was exploited for about $6.8 million in tokens last night through a vulnerability in the smart contracts which control its liquidity pools.
A hacker was able to exploit the vulnerability in overflow logic in order to trick Velocore into turning a small withdrawal into a large deposit. With the help of a flash loan, the hacker was able to drain Velocore's "volatile pools" on zkSync Era and Linea, though the team was able to safeguard its assets on Telos. "Stable pools" were unaffected.
"Despite undergoing multiple audits and implementing preventive features to ensure security, this unexpected incident happened swiftly. We are deeply saddened and sincerely apologize to our users who have trusted us," Velocore wrote in its post-mortem. Velocore has also disabled the logic flaw used in the exploit, eliminating the chance of a copycat attack.
The incident led the ConsenSys-built Linea Ethereum Layer 2 network to temporarily pause its block production in an unsuccessful attempt to mitigate the losses from the attack.
"Because other avenues of handling this exploit closed, our team halted the sequencer to prevent additional funds bridging out. This was the last resort action to protect users on Linea," the protocol wrote on X. While Linea stated its goal was to eventually take away the ability to halt the network from its team once significant decentralization had occurred, the protocol defended the decision to halt the chain. "Most L2s, including Linea, still rely on centralized technical operations which can be leveraged to protect ecosystem participants. Linea's core value is a permissionless, censorship-resistant environment so it was not a decision we took lightly," the protocol wrote.
Velocore has reached out to the hacker with a message offering a 10% white hat bounty for the return of the remainder of the funds by June 3, 8:00 UTC. The hacker has yet to respond, though the hacker has since deposited about 1700 eth, worth about $7 million, to cryptocurrency mixer Tornado Cash. Velocore, in its postmortem, promised, "For those affected, we have taken a snapshot of the blockchain state prior to the incident. Once operations resume, we will implement an appropriate compensation plan to address the losses incurred to our users."
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
