Coinspeaker
Velocore DEX Offers Exploiter 10% White Hat Bounty after $6.8M Hack
Decentralized exchange Velocore, deployed on both the Linea and zkSync blockchains, suffered a security breach on June 2, 2024, resulting in a loss of about $6.8 million in Ethereum (ETH). The exploit targeted vulnerabilities within Velocore’s liquidity pool smart contracts, particularly affecting its volatile pools on the Linea and zkSync Era blockchains.
The hacker executed a complex attack by manipulating the fee rate calculation logic, managing to bypass Velocore’s security measures. This allowed for the unauthorized withdrawal of funds into the hacker’s wallet. The exploit primarily affected the protocol’s Linea deployment. Fortunately, Velocore’s stable pools remain unaffected by the breach, allowing users to safely withdraw funds from the reserves.
Despite undergoing multiple audits and implementing preventive measures, Velocore acknowledged the breach and expressed regret. The protocol had earlier passed security audits by prominent blockchain security firms Zokyo, Hacken, and Scalebit.
Velocore is collaborating with security experts from Hexagate and Hypernative to investigate and address the issue. While Velocore has assured users that the exploit has been contained, blockchain security experts have raised concerns regarding the possibility of the exploit spreading to other chains utilizing similar smart contracts.
The incident prompted the Linea blockchain team to temporarily halt block production, a move that has drawn mixed reactions from the community. Many applaud the decisive action taken to prevent further losses. However, it has sparked a heated debate regarding the centralization risks of Layer 2 solutions like Linea. Many Layer 2s like Linea operate centralized sequencers, allowing their teams to possess undue control over their operations.
White Hat Bounty
Velocore is actively working to recover the stolen funds. The protocol reached out to the hacker via an on-chain message, offering a 10% white hat bounty for the return of the remaining funds by June 3, 2024, 08:00 UTC. However, as of the time of writing, no response has been received from the hacker.
On-chain data revealed that the hacker bridged the stolen funds to Ethereum mainnet, before laundering 1807 ETH via cryptocurrency mixer Tornado Cash. Without the hacker’s corporation, the fate of the stolen funds remains bleak, as successful laundering is enabled by services like Tornado Cash, which has been utilized in previous hacks.
Customer Compensation Plans
Velocore has promised to compensate affected users. A snapshot of the blockchain state before the incident was taken and an appropriate compensation plan will be implemented once operations resume.
Velocore has also pledged to enhance its security measures to rebuild trust and minimize damage. The team is working closely with security partners and foundations, as well as requesting cooperation from various protocols and centralized exchanges to track the hacker’s activities.
The crypto community has commended Velocore for its swift response to the breach, with many applauding the protocol’s proactive measures in dealing with the situation.
Velocore DEX Offers Exploiter 10% White Hat Bounty after $6.8M Hack