Velocore Addresses $7M Hack In Postmortem, Offers 10% White Hat Bounty

As an analyst with several years of experience in the cryptocurrency and decentralized finance (DeFi) space, I’ve seen my fair share of hacks and exploits. The recent incident at Velocore exchange, resulting in a loss of about $7 million, is a reminder of the inherent risks in this rapidly evolving industry.

Velocore, a decentralized exchange, has released a report detailing the events surrounding the recent security breach that resulted in approximately $7 million being stolen from the platform.

The exchange has offered the hacker a 10% bug bounty but has yet to receive a response. 

Details Of The Hack 

After discovering a weakness in the smart contracts governing the decentralized exchange’s liquidity pools, the hacker executed their plan. They exploited an overflow logic vulnerability, enabling them to deceive the system into converting a minor withdrawal into a substantial deposit. Utilizing a flash loan assault, the hacker drained the volatile pools on zkSync Era and Linea, but Velocore successfully secured its assets on Telos, leaving the stable pools unscathed. In a recent update on X, Velocore explained the situation.

As a researcher, I’ve uncovered the intricacies of the identified exploit mechanism and initiated an on-chain discussion for resolution. A comprehensive post-mortem analysis is underway, detailing the sequence of events leading up to the discovery. In pursuit of the exploiter, I’m following crucial clues left behind. Stay tuned for further updates. Velocore on the Telos mainnet remains untouched, and we are collaborating closely with the foundation during functionalities’ temporary suspension. Rest assured, instructions for safely withdrawing all funds will be communicated in due time.

Exploit Postmortem 

In response to the cyberattack, Velocore promptly launched an investigation and instituted a negotiation procedure on the blockchain to recover the stolen funds from the perpetrator. The decentralized exchange also disseminated an alert following the breach, advising users to exercise caution. Simultaneously, all trading activities were suspended, and the pilfered assets were immobilized. Regrettably, the hacker managed to shift a portion of the funds to the Ethereum primary network, despite these defensive actions. In its post-incident report, Velocore disclosed,

Although we’ve undergone numerous inspections and added security measures to prevent such occurrences, an unexpected incident took place unexpectedly. We are genuinely sorry and apologize profoundly to our valued users for the breach of trust. Velocore has immediately deactivated the flawed logic used in the attack, thus preventing any potential copycat attempts.

Here’s a suggestion for paraphrasing the given text in a clear and natural way:

As a researcher on our team, I would express it this way: “Given that other potential solutions for addressing this exploit had been exhausted, I initiated the halting of the sequencer in order to prevent any further funds from escaping.”

Linea justified its action to put a stop to the chain, stating that their ultimate objective was to disable the team’s power to interrupt the network through the process of decentralization.

The majority of second-level (L2) projects, including Linea, continue to depend on centralized technical management for their operations. This setup can be beneficial in safeguarding the ecosystem’s participants. However, Linea prioritizes a decentralized approach as its primary value proposition – a permissionless and censorship-resistant environment – so this decision was not made lightly.

Velocore Reaches Out To Hacker 

Velocore has proposed a reward of 10% for the hacker if they return the remaining stolen funds by June 3, 8:00 UTC. The hacker, however, hasn’t responded to this proposition yet. Nevertheless, they have already transferred 1700 ETH, equivalent to approximately $7 million, into Tornado Cash – a cryptocurrency tumbler. Velocore mentioned that they had saved a copy of the blockchain prior to the breach and were currently devising a strategy for reimbursing their affected users.

“We’ve saved a copy of the blockchain status before the occurrence for those it affected. After resuming normal functions, we will devise and execute a fair reimbursement scheme to make up for any losses sustained by our users.”

Read More

2024-06-03 12:37