Velocore: Inside the $6.8 Million DeFi Hack

TL;DR

Velocore suffered a $6.8 million exploit due to a vulnerability in its Balancer-style CPMM contract. The Linea team halted block production to protect funds, and Velocore is negotiating with the hacker, offering a 10% bug bounty. Despite multiple audits, significant security flaws were exploited, raising concerns about future stability.

Make Sure This Hack Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

High-Speed DeFi Ambitions Screech to a Halt

Velocore's rapid ascent in the decentralized finance (DeFi) space was abruptly interrupted on June 2nd when the L2 DEX suffered a devastating exploit, resulting in a loss exceeding $6.8 million across its pools on Linea and zkSync.

The breach exploited a vulnerability in Velocore's Balancer-style CPMM contract, allowing the attacker to manipulate fee calculations and drain a significant portion of the platform's liquidity.

In response, the Linea team temporarily halted block production, though operations have since resumed. Velocore has extended a 10% bug bounty offer to the hacker, who remains unresponsive.

The decision by Linea's team to pause the chain has raised centralization concerns within the community.

Despite undergoing multiple audits, Velocore's protocol still harbored an exploitable flaw.

The future of Velocore now hangs in the balance—will it stage a comeback or face a permanent pit stop?

Subscribe to Newsletter Bitcoin

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

The ever-vigilant crypto investigator, Officer CIA, was the first to notice irregularities in Velocore’s liquidity pools.

According to Velocore's post-mortem report, the attacker sourced funds from Tornado Cash, bridged them over to execute the exploit, and then returned the stolen assets to Tornado Cash.

The attacker initiated a series of transactions by invoking the velocore__execute() function to simulate massive withdrawals and inflate the feeMultiplier. This inflated multiplier pushed the effectiveFee1e9 above 100%, allowing the perpetrator to execute a flash loan and acquire most of the tokens, draining the pool.

In the final step, a small single-token withdrawal triggered an underflow error, minting an excessively large amount of liquidity tokens. This allowed the attacker to repay the flash loan and abscond with $6.8 million in ETH.

Beosin's analysis highlighted a critical vulnerability in the LP Pool's lack of permission verification. The attacker directly invoked the velocore__execute function (0xec378808) with carefully crafted parameters, manipulating the feeMultiplier parameter and facilitating the exploit.

The feeMultiplier value significantly influences the number of tokens exchanged. The attacker manipulated this parameter to call the execute function (0xd3115a8a) again through the router contract, effectively draining funds from the liquidity pool.

Attacker Address:

• 0x8cdc37ed79c5ef116b9dc2a53cb86acaca3716bf

Exploited Contracts:

• 0xed4e130f6f9e68918996f7e1e46a3306b3e12cec

• 0xb7f6354b2cfd3018b3261fbc63248a56a24ae91a

• 0xc030fba4b741b770f03e715c3a27d02c41fc9dae

• 0xf7f76b30a301524fe76508546B1e3762eF2B9267

Attack Transactions:

• Transaction 1

0xed11d5b013bf3296b1507da38b7bcb97845dd037d33d3d1b0c5e763889cdbed1

• Transaction 2

0x37434e674efc4e7cfeed7746095301ace5636028906fe548b786ead286e35eb0

• Transaction 3

0x4156d73cadc18419220f5bcf10deb4d97a3d3f7533d63ba90daeabc5fd11ba17

Final Fund Destination (Before Tornado Cash):

• 0xe4062fcade7ac0ed47ad794028967a2314ee02b3

During the exploit, the Linea team halted the sequencer to prevent additional funds from being bridged out, citing the inability to contact Velocore. "This was the last resort action to protect users on Linea," the network stated on X.

While Linea aims to eventually relinquish the ability to halt the network once significant decentralization is achieved, the protocol defended its decision. "Most L2s, including Linea, still rely on centralized technical operations which can be leveraged to protect ecosystem participants. Linea's core value is a permissionless, censorship-resistant environment, so it was not a decision we took lightly," the network explained.

Velocore has initiated negotiations with the attacker to recover the $6.8 million in stolen ETH, offering 10% as a white hat bug bounty reward.

Official documents reveal that Velocore claims to have undergone three rounds of audits, completed by Zokyo, Hacken, and Scalebit in August 2023.

With their rapid growth hampered by insecure code, Velocore now faces a significant challenge. Will they have enough resources and resilience to recover from this setback?

Subscribe to WAGMI

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

For a protocol that touted multiple audits and solidified security, Velocore now appears more like a rusty junker left for scrap following this $6.8 million drain.

Despite offering a 10% bug bounty, Velocore has yet to coax the hacker out from their Tornado Cash hideout.

At this rate, the team may need to invest in psychic mediums to communicate with the drainer from the other side.

The pressing question is whether this was an isolated crash or just the first fender bender in a series of recurring collisions for Velocore.

With so many blind spots missed during their audit cycle, cautious crypto investors may want to steer clear until the project undergoes a complete overhaul from the chassis up.

Will Velocore find a way to get their motors humming again, or will this exploit force them to permanently park their DeFi dreams in the junkyard?