Yesterday, decentralized exchange platform Velocore was hacked, resulting in the theft of 1807 ETH (approximately $6.88 million). In a subsequent report, Velocore explained the affected fund pool, the attack method, and the compensation plan.
Summary:
One moment you’re busy browsing the internet, the next moment hackers have stolen your assets. OKX Web3&WTF Academy’s security special issue.
Background:
Lost password turns into a fortune. Hackers crack password manager and recover 43.6 BTC from 11 years ago (worth $3 million now).
Table of Contents:
Contract vulnerability leads to attack.
Another flash loan attack?
Compensation for users once operations are restored.
Decentralized exchange platform Velocore, deployed on Layer2 networks zkSync and Linea, was attacked by hackers yesterday, resulting in a loss of 1807 ETH (approximately $6.88 million). Chain analyst Yu Yin stated that all users’ liquidity funds on the platform were stolen, and the hackers subsequently transferred the stolen funds to the Ethereum mainnet through a cross-chain bridge, sending all the ETH to address 0xe40 and using the Tornado protocol, a mixer, to obscure the funds.
Additionally, according to DeFi data platform DefiLlama, Velocore’s total locked value plummeted from $10.16 million the previous day to $835,000, a 92% decrease, after the hack.
Yesterday, the Velocore team released a security review report regarding the hack. The report stated that the attack was due to a contract vulnerability in the Balancer-style CPMM pool. The report detailed the security status of each fund pool:
– All CPMM pools in Velocore on the Linea and zkSync Era chains were affected.
– The stable pool was unaffected.
– Velocore on the Telos chain also had the same issue, but the team addressed it before the problem could be exploited.
– Bladeswap on the Blast chain, while using Velocore’s core contract, was not affected by this contract vulnerability as it employs an XYK pool instead of a CPMM pool.
CPMM, the constant product market maker, is one of the early functions adopted by DeFi liquidity mining pools. The function algorithm is x*y=k, where x and y are the reserve quantities of assets in the pool, and k is a constant. This function determines the price range of the two tokens based on the available quantity (liquidity) of each token. If the supply of token X increases, the supply of token Y decreases to maintain the constant value k.
According to the report, the attacker obtained funds from the Tornado mixer protocol and triggered the contract vulnerability. They then used a flash loan to acquire liquidity provider (LP) tokens and extracted a majority of the tokens, significantly reducing the size of the liquidity pool. Subsequently, the attacker exploited the token contract vulnerability to mint an unusually large amount of LP tokens, thereby repaying the flash loan.
Regarding the hack, the Velocore team stated that they are actively investigating the hackers and attempting to negotiate on-chain. Velocore displayed a message on-chain to communicate with the hackers, but they have not yet received a response.
On the other hand, the team also mentioned that they will provide compensation to those affected and have taken a snapshot of the blockchain state prior to the attack. However, the execution of the compensation plan will only begin once Velocore’s operations are restored.
Related Reports:
US court approves seizure of 279 cryptocurrency accounts, including funds from North Korean hacker crimes and Chinese money laundering.
“Ripple” takes over ETtoday’s YouTube channel with 600,000 subscribers! Hackers use fake airdrops to scam cryptocurrency wallets.
Preventing phishing attacks: You must understand these three principles of signature authorization.