Bitget App
Trade smarter
Buy cryptoMarketsTradeFuturesEarnWeb3SquareMore
Trade
Spot
Buy and sell crypto with ease
Margin
Amplify your capital and maximize fund efficiency
Onchain
Going Onchain, without going Onchain!
Convert
Zero fees, no slippage
Explore
Launchhub
Gain the edge early and start winning
Copy
Copy elite trader with one click
Bots
Simple, fast, and reliable AI trading bot
Trade
USDT-M Futures
Futures settled in USDT
USDC-M Futures
Futures settled in USDC
Coin-M Futures
Futures settled in cryptocurrencies
Explore
Futures guide
A beginner-to-advanced journey in futures trading
Futures promotions
Generous rewards await
Overview
A variety of products to grow your assets
Simple Earn
Deposit and withdraw anytime to earn flexible returns with zero risk
On-chain Earn
Earn profits daily without risking principal
Structured Earn
Robust financial innovation to navigate market swings
VIP and Wealth Management
Premium services for smart wealth management
Loans
Flexible borrowing with high fund security
Decentralized exchange Velocore addresses $7 million hack in postmortem, offers bounty to hacker

Decentralized exchange Velocore addresses $7 million hack in postmortem, offers bounty to hacker

The BlockThe Block2024/06/02 17:13
By:The Block

Quick Take Decentralized exchange Velocore was hacked for around $7 million in tokens last night when a user exploited a vulnerability in the logic governing the exchange’s smart contracts. The hack led the Linea blockchain team to halt block production, which has since resumed. Velocore has offered a 10% bug bounty to the hacker, who has yet to respond.

Decentralized exchange Velocore, which operates on the Telos, zkSync Era, and Linea blockchains, was exploited for about $6.8 million in tokens last night through a vulnerability in the smart contracts which control its liquidity pools. 

A hacker was able to exploit the vulnerability in overflow logic in order to trick Velocore into turning a small withdrawal into a large deposit. With the help of a flash loan, the hacker was able to drain Velocore's "volatile pools" on zkSync Era and Linea, though the team was able to safeguard its assets on Telos. "Stable pools" were unaffected. 

"Despite undergoing multiple audits and implementing preventive features to ensure security, this unexpected incident happened swiftly. We are deeply saddened and sincerely apologize to our users who have trusted us," Velocore wrote in its post-mortem . Velocore has also disabled the logic flaw used in the exploit, eliminating the chance of a copycat attack. 

The incident led the ConsenSys-built Linea Ethereum Layer 2 network to temporarily pause its block production in an unsuccessful attempt to mitigate the losses from the attack. 

"Because other avenues of handling this exploit closed, our team halted the sequencer to prevent additional funds bridging out. This was the last resort action to protect users on Linea," the protocol wrote on X . While Linea stated its goal was to eventually take away the ability to halt the network from its team once significant decentralization had occurred, the protocol defended the decision to halt the chain. "Most L2s, including Linea, still rely on centralized technical operations which can be leveraged to protect ecosystem participants. Linea's core value is a permissionless, censorship-resistant environment so it was not a decision we took lightly," the protocol wrote . 

Velocore has reached out to the hacker with a message offering a 10% white hat bounty for the return of the remainder of the funds by June 3, 8:00 UTC. The hacker has yet to respond, though the hacker has since deposited about 1700 eth, worth about $7 million, to cryptocurrency mixer Tornado Cash. Velocore, in its postmortem, promised, "For those affected, we have taken a snapshot of the blockchain state prior to the incident. Once operations resume, we will implement an appropriate compensation plan to address the losses incurred to our users."


2

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.
APR up to 10%. Always on, always get airdrop.
Lock now!