Yesterday, decentralized trading platform Velocore was hacked, resulting in the theft of 1807 ETH (approximately $6.88 million). Velocore later released a report detailing the affected funds, attack methods, and compensation plans.
(Background:
From vigorously masturbating one second to being “robbed” by hackers the next? OKX Web3&WTF Academy [Security Special Edition]
)
(Coontails:
Lost password becomes a wealth godsend! Hacker cracks password manager and recovers 43.6 BTC from 11 years ago (worth 3 million pounds today)
)
Table of Contents:
Contract Vulnerability Leads to Attack
Another Flash Loan Attack?
Compensation for Users After Resuming Operations
Decentralized trading platform Velocore, deployed on Layer2 networks zkSync and Linea, was attacked by hackers yesterday, resulting in a loss of 1807 ETH (approximately $6.88 million). Chain analyst Yu Yan stated that the liquidity funds of all users on the platform were stolen, and the hackers subsequently transferred the stolen funds to the Ethereum mainnet through a cross-chain bridge. They then transferred all the ETH to the address 0xe40 and used the Tornado mixer protocol to conceal and launder the funds.
Additionally, according to DeFi data platform DefiLlama, Velocore’s total locked value plummeted from $10.16 million the previous day to $835,000, a decrease of 92%, after the attack.
Yesterday, the Velocore team released a security review report regarding the hacker attack incident. The report stated that the attack was due to a contract vulnerability in the Balancer-style constant product market maker (CPMM) pools. The report detailed the security status of each fund pool:
All CPMM pools in Velocore on Linea and zkSync Era chains were affected.
The stable pool was unaffected.
Velocore on the Telos chain also had the same issue, but the team had already addressed it before the exploit.
Although Bladeswap on the Blast chain uses Velocore’s core contract, it was not affected by this contract vulnerability as Bladeswap uses XYK pools instead of CPMM pools.
The constant product market maker (CPMM) is one of the early functions adopted by DeFi liquidity mining pools. The function algorithm is x * y = k, where x and y represent the storage of assets in the pool, and k is a constant. This function determines the price range of two tokens based on the available quantity (liquidity) of each token. It means that if the supply of token X increases, the supply of token Y decreases to maintain the constant value k.
According to the report, the attacker first obtained funds from the Tornado mixer protocol and triggered the contract vulnerability condition. They then used a flash loan to obtain liquidity provider (LP) tokens and extracted most of them, significantly reducing the size of the liquidity pool. Subsequently, the attacker exploited the token contract vulnerability to mint an unusually large amount of LP tokens, thus repaying the flash loan.
Regarding the hacker attack, the Velocore team stated that they are actively tracking the hackers and attempting on-chain negotiations. Velocore displayed a message on-chain to communicate with the hackers, but there has been no response from them so far.
On the other hand, the team also mentioned that they will provide compensation to the affected individuals and have taken a snapshot of the block state before the attack. However, the compensation plan will only be executed after Velocore resumes operations.
(Related Reports:
US court approves seizure of 279 cryptocurrency accounts, including North Korean hacker proceeds and Chinese money laundering coins
“Ripple” occupies ETtoday’s news channel with 600,000 followers on YouTube! Hackers deceive crypto wallets with fake airdrops
Preventing hacker phishing attacks: You must understand these three signature authorization principles)