Velocore lost $6.88 million in ETH, and user liquidity was reduced to zero. What happened?

2024-06-03 13:43

Read this article in 6 Minutes

AI summary

View the summary

Original title: "DEX hacked: Velocore lost $6.88 million in ETH, user liquidity is reduced to zero, what happened?"

Original source: BlockTempo

Yesterday, the decentralized trading platform Velocore was hacked and 1,807 ETH (about $6.88 million) was stolen. Afterwards, Velocore released a report explaining the affected funding pool, attack methods and subsequent compensation plan.

The decentralized trading platform Velocore deployed on the Layer2 network zkSync and Linea was hacked yesterday (2), with a loss of 1,807 ETH (about 6.88 million US dollars)

On-chain analyst Yu Jin said that the liquidity funds of all users on the platform were stolen. The hacker then transferred the stolen funds to the Ethereum mainnet through the cross-chain bridge, and transferred all ETH to the 0xe40 address, and used the mixer protocol Tornado to hide and wash out the funds.

In addition, according to data from DeFi data platform DefiLlama, after Velocore was hacked, its total locked value plummeted from 10.16 million US dollars the previous day to 835,000 US dollars, a drop of 92%.

Contract vulnerability

Yesterday, the Velocore team released a security review report on this hacker attack. The report pointed out that the cause of the attack was a contract vulnerability in the Balancer-style CPMM pool. The report lists the security status of each fund pool in detail:

· All CPMM pools in Velocore on Linea and zkSync Era chains were affected.

· The stable pool was not affected.

· Velocore on the Telos chain also had the same problem, but the team had dealt with it before the problem was exploited.

· Although Bladeswap on the Blast chain uses Velocore's core contract, it is not affected by this contract vulnerability because Bladeswap uses the XYK pool instead of the CPMM pool.

The constant product market maker CPMM is one of the functions adopted by the DeFi liquidity pool in the early days. The function algorithm is: x*y=k. Among them, x and y are the storage amount of assets in the pool, and k is an unchanging constant. The function determines the price range of the two tokens based on the available quantity (liquidity) of each token, which means that if the supply of token X increases, the supply of token Y decreases to maintain a constant value k.

Another flash loan attack?

According to the report, the attacker first obtained funds from the mixer protocol Tornado and satisfied the contract vulnerability triggering conditions. Then, he used the flash loan to obtain liquidity provider (LP) tokens and extracted most of the tokens, which greatly reduced the size of the liquidity pool. Subsequently, the attacker used the token contract vulnerability to mint an abnormally large number of LP tokens to repay the flash loan.

Users will be compensated only after operations are restored

In response to this hacker attack, the Velocore team said that it is actively tracking down the hacker and is also trying to negotiate with the hacker on the chain. Velocore's on-chain communication message with the hacker shows:

If the hacker returns the remaining funds by 4 pm on June 3, the team is willing to provide a 10% white hat hacker bounty

However, the hacker has not yet responded to Velocore.

On the other hand, the team also stated that it would provide compensation to those affected and took a snapshot of the block status before the attack, but the compensation plan will not be implemented until Velocore resumes operations.