A brief analysis of the Velocore hacker attack: $6.88 million in ETH lost, user liquidity reduced to zero

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

A brief analysis of the Velocore hacker attack: $6.88 million in ETH lost, user liquidity reduced to zero

星球君的朋友们

2024-06-03 07:18

本文约870字，阅读全文需要约3分钟

The team said it would provide compensation to those affected and took a snapshot of the block status before the attack.

Original author: Ting

Original source: BlockTempo

Yesterday, the decentralized trading platform Velocore was hacked and 1,807 ETH (about 6.88 million US dollars) were stolen. Afterwards, Velocore released a report explaining the affected funding pool, attack methods and subsequent compensation plan.

Velocore, a decentralized trading platform deployed on Layer 2 networks zkSync and Linea, was hacked yesterday (2), with a loss of 1,807 ETH (about 6.88 million USD).

On-chain analyst Yu Jin said that the liquidity funds of all users on the platform were stolen. The hacker then transferred the stolen funds to the Ethereum mainnet through a cross-chain bridge, transferred all ETH to the 0x e 40 address, and used the mixer protocol Tornado to hide and launder the funds.

In addition, according to data from the DeFi data platform DefiLlama, after Velocore was hacked, its total locked value plummeted from US$10.16 million the previous day to US$835,000, a drop of 92%.

Contract loopholes lead to

Yesterday, the Velocore team released a security review report on the hack. The report pointed out that the cause of the attack was a contract vulnerability in the Balancer-style CPMM pool. The report detailed the security status of each fund pool:

All CPMM pools in Velocore on Linea and zkSync Era chains are affected.
The stable pool was not affected.
The same issue also existed on Velocore on the Telos chain, but the team addressed it before it could be exploited.
Although Bladeswap on the Blast chain uses Velocore's core contract, it is not affected by this contract vulnerability because Bladeswap uses the XYK pool instead of the CPMM pool.

The constant product market maker CPMM is one of the functions adopted by the DeFi liquidity pool in the early days. The function algorithm is: x*y=k. Among them, x and y are the storage of assets in the pool, and k is an unchanging constant. The function determines the price range of the two tokens based on the available quantity (liquidity) of each token, which means that if the supply of token X increases, the supply of token Y decreases to maintain a constant value k.

Another flash loan attack?

According to the report, the attacker first obtained funds from the mixer protocol Tornado and satisfied the conditions for triggering the contract vulnerability. Then, he used flash loans to obtain liquidity provider (LP) tokens and withdrew most of the tokens, which greatly reduced the size of the liquidity pool. Subsequently, the attacker used the token contract vulnerability to mint an abnormally large number of LP tokens, thereby repaying the flash loan.

Compensation to users will be granted only after operations are restored

In response to this hacker attack, the Velocore team said that they are actively tracking down the hacker and are also trying to negotiate with the hacker on the chain. The message that Velocore communicated with the hacker on the chain shows:

If the hacker returns the remaining funds by 4pm on June 3, the team is willing to provide a 10% white hat hacker bounty

However, the hacker has not yet responded to Velocore.

On the other hand, the team also stated that it would provide compensation to those affected and took a snapshot of the block status before the attack. However, the compensation plan will not be implemented until Velocore resumes operations.