Decentralized exchange Velocore has addressed its recent hack in a postmortem. The exchange suffered an exploit that led to the loss of about $7 million. 

The exchange has offered the hacker a 10% bug bounty but has yet to receive a response. 

Details Of The Hack 

The hack was orchestrated after the hacker exploited a vulnerability in the smart contracts controlling the decentralized exchange’s liquidity pools. The hacker was able to exploit the vulnerability in overflow logic. This allowed them to trick Velocore into turning a small withdrawal into a large deposit. The hacker then used a flash loan attack to drain the decentralized exchange’s “volatile pools” on zkSync Era and Linea. The Velocore team was able to safeguard its assets on Telos, and “stable pools” were not impacted. In a post on X, Velocore stated, 

“We’ve identified the exploit mechanism and are setting up an on-chain negotiation process. A post-mortem article is in the works. Tracking the exploiter with clues left behind. More updates soon. Velocore on the Telos mainnet has not been affected, and we are working with the foundation while functionalities are frozen. We will provide guidance on safely withdrawing all funds in the future.”

Exploit Postmortem 

In response to the hack, Velocore initiated an investigation and set up an on-chain negotiation process to retrieve the funds from the hacker. The decentralized exchange also shared an emergency notice after the hack, urging users to be cautious. It also halted all operations on the exchange and froze the stolen funds. However, despite these measures, the hacker was able to transfer a portion of the funds across chains to the Ethereum mainnet. Velocore wrote in its postmortem of the incident, 

“Despite undergoing multiple audits and implementing preventive features to ensure security, this unexpected incident happened swiftly. We are deeply saddened and sincerely apologize to our users who have trusted us. Velocore has also disabled the logic flaw used in the exploit, eliminating the chance of a copycat attack.”

The team promised users it would provide another update on the incident soon. The hack also resulted in the Linea Layer2 network temporarily pausing block production to mitigate losses. 

“Because other avenues of handling this exploit closed, our team halted the sequencer to prevent additional funds bridging out.” 

Linea defended its decision to halt the chain, adding that its eventual goal was to remove the team’s ability to halt the network via decentralization. 

“Most L2s, including Linea, still rely on centralized technical operations, which can be leveraged to protect ecosystem participants. Linea’s core value is a permissionless, censorship-resistant environment, so it was not a decision we took lightly.”

Velocore Reaches Out To Hacker 

Meanwhile, Velocore has offered the hacker a 10% white hat bounty if the remainder of the stolen funds are returned by June 3, 8:00 UTC. While the hacker has yet to respond to the offer, they have already deposited 1700 ETH, worth around $7 million, into Tornado Cash, a cryptocurrency mixer. The decentralized exchange added that it had taken a snapshot of the blockchain prior to the incident and would come up with a compensation plan for its users. 

“For those affected, we have taken a snapshot of the blockchain state prior to the incident. Once operations resume, we will implement an appropriate compensation plan to address the losses incurred to our users.”

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.