According to BlockBeats, Velocore, a decentralized exchange platform, was targeted by hackers who stole 1807 ETH, equivalent to approximately $6.88 million. Following the attack, Velocore released a report detailing the affected funds, the method of attack, and a proposed compensation plan.
The platform, which operates on the Layer2 networks zkSync and Linea, saw all user liquidity funds stolen. The hackers then transferred the stolen funds to the Ethereum mainnet via a cross-chain bridge. The funds were then moved to the 0xe40 address and concealed using the Tornado mixer protocol.
Data from the DeFi data platform DefiLlama showed that following the attack, Velocore's total locked value plummeted from $10.16 million the previous day to $835,000, a drop of 92%.
The Velocore team released a security review report in response to the attack. The report identified a contract vulnerability in the Balancer-style CPMM pool as the cause of the attack. The report detailed the security status of various funds:
- All CPMM pools on Velocore on the Linea and zkSync Era chains were affected.
- The stable pool was not affected.
- Velocore on the Telos chain had the same issue, but the team addressed it before it could be exploited.
- Bladeswap on the Blast chain uses Velocore's core contract, but it was not affected by this contract vulnerability because it uses an XYK pool instead of a CPMM pool.
The report indicated that the attacker first obtained funds from the Tornado mixer protocol and met the conditions to trigger the contract vulnerability. They then used a flash loan to obtain liquidity provider (LP) tokens and withdrew most of the tokens, significantly reducing the size of the liquidity pool. The attacker then exploited a token contract vulnerability to mint an unusually large number of LP tokens, which were used to repay the flash loan.
In response to the attack, the Velocore team stated that they are actively tracking the hacker and attempting to negotiate with them on-chain. The team also stated that they would compensate those affected and have taken a snapshot of the block state before the attack. However, the compensation plan will only be implemented after Velocore resumes operations.