Velocore's $6.8 Million Exploit: Fast and Furious Losses in Crypto

Velocore's $6.8 Million Exploit: Fast and Furious Losses in Crypto

The recent exploit on Velocore, an L2 decentralized exchange (DEX), resulted in a devastating loss of over $6.8 million on June 2nd. This breach affected its liquidity pools on Linea and zkSync, exposing significant vulnerabilities in its smart contracts.

The Vulnerability and Exploit

Velocore's Balancer-style CPMM contract was exploited by an attacker who manipulated fee calculations to drain liquidity. The exploit was initiated through Velocore’s velocore__execute() function, which allowed the attacker to simulate massive withdrawals and inflate the feeMultiplier. By executing a flash loan, the attacker withdrew a large amount of tokens, causing a significant liquidity drain. The final stage of the attack involved a single-token withdrawal that minted an excessively large amount of liquidity tokens due to an underflow error, enabling the attacker to repay the flash loan and escape with $6.8 million in ETH.

Centralization Concerns

In response to the hack, the Linea team halted block production to prevent further fund loss. This action, while necessary, raised concerns about centralization within the crypto community. Linea later resumed operations and defended their decision, emphasizing that centralized technical operations can protect ecosystem participants in emergencies.

Velocore's Response and Audit Failures

Despite undergoing multiple audits by Zokyo, Hacken, and Scalebit in August 2023, Velocore's protocol still had exploitable flaws. Velocore has offered a 10% bug bounty to the hacker for the return of the stolen funds, but there has been no response from the attacker, who used Tornado Cash to obscure the transactions.

Analysis and Attack Details

According to Beosin's analysis, the LP pool lacked proper permission verification. The attacker used a carefully constructed parameter to manipulate the feeMultiplier parameter and drain the funds through the router contract.

Attacker Address: 0x8cdc37ed79c5ef116b9dc2a53cb86acaca3716bf
Exploited Contracts:

  • 0xed4e130f6f9e68918996f7e1e46a3306b3e12cec
  • 0xb7f6354b2cfd3018b3261fbc63248a56a24ae91a
  • 0xc030fba4b741b770f03e715c3a27d02c41fc9dae
  • 0xf7f76b30a301524fe76508546B1e3762eF2B9267

Attack Transactions:

  • 1: 0xed11d5b013bf3296b1507da38b7bcb97845dd037d33d3d1b0c5e763889cdbed1
  • 2: 0x37434e674efc4e7cfeed7746095301ace5636028906fe548b786ead286e35eb0
  • 3: 0x4156d73cadc18419220f5bcf10deb4d97a3d3f7533d63ba90daeabc5fd11ba17

Final Fund Destination (Before Tornado Cash): 0xe4062fcade7ac0ed47ad794028967a2314ee02b3


Velocore’s exploit underscores the critical importance of robust security measures and thorough audits in the cryptocurrency space. For a protocol that prided itself on multiple audits, the occurrence of such a significant exploit raises questions about the efficacy of those audits. Crypto users should exercise caution and stay informed about the security practices of the projects they invest in.

With Velocore now offering a bug bounty to recover the stolen funds, the future remains uncertain. Whether this incident will be an isolated crash or the beginning of recurring issues depends on Velocore's ability to address these vulnerabilities and restore confidence in its protocol.

Continue reading