Decentralized exchange Velocore addresses $7 million hack in postmortem, offers bounty to hacker

Decentralized exchange Velocore, which operates on the Telos, zkSync Era, and Linea blockchains, was exploited for about $6.8 million in tokens last night through a vulnerability in the smart contracts which control its liquidity pools. 

A hacker was able to exploit the vulnerability in overflow logic in order to trick Velocore into turning a small withdrawal into a large deposit. With the help of a flash loan, the hacker was able to drain Velocore's "volatile pools" on zkSync Era and Linea, though the team was able to safeguard its assets on Telos. "Stable pools" were unaffected. 

"Despite undergoing multiple audits and implementing preventive features to ensure security, this unexpected incident happened swiftly. We are deeply saddened and sincerely apologize to our users who have trusted us," Velocore wrote in its post-mortem . Velocore has also disabled the logic flaw used in the exploit, eliminating the chance of a copycat attack. 

The incident led the ConsenSys-built Linea Ethereum Layer 2 network to temporarily pause its block production in an unsuccessful attempt to mitigate the losses from the attack. 

"Because other avenues of handling this exploit closed, our team halted the sequencer to prevent additional funds bridging out. This was the last resort action to protect users on Linea," the protocol wrote on X . While Linea stated its goal was to eventually take away the ability to halt the network from its team once significant decentralization had occurred, the protocol defended the decision to halt the chain. "Most L2s, including Linea, still rely on centralized technical operations which can be leveraged to protect ecosystem participants. Linea's core value is a permissionless, censorship-resistant environment so it was not a decision we took lightly," the protocol wrote . 

Velocore has reached out to the hacker with a message offering a 10% white hat bounty for the return of the remainder of the funds by June 3, 8:00 UTC. The hacker has yet to respond, though the hacker has since deposited about 1700 eth, worth about $7 million, to cryptocurrency mixer Tornado Cash. Velocore, in its postmortem, promised, "For those affected, we have taken a snapshot of the blockchain state prior to the incident. Once operations resume, we will implement an appropriate compensation plan to address the losses incurred to our users."