• Decentralized exchange Velocore fell victim to a major hack.
• The platform has commenced efforts towards securing a refund of the stolen funds.
• Velocore is tightening security practices to prevent similar future hacks.

The new month of June got off to a rocky start for the decentralized exchange platform Velocrore, which became one of this month’s earliest hack victims. On June 2, 2024, Velocore fell victim to a security exploit, resulting in severe losses for the exchange and its users.

In the aftermath of the attack, Velocrore has initiated efforts to recoup the stolen funds.

Velocore Pursues Stolen Funds

According to a Monday, June 3, 2024 post, the decentralized exchange has initiated on-chain negotiations with its attacker. The negotiation proposes a 10% refund of the stolen $6.8 million in ETH to the hacker, as part of ongoing post-mortem ecosystem security measures to mitigate the damage from the June 2 attack.

While the attacker has yet to respond, Velocore stated that its team has deployed security measures such as tracing the stolen user funds, as well as identifying the exploiter addresses and vulnerable contracts. 

Post-mortem on the exploit of Velocore

This incident is unlikely to extend to other protocols, so other users of @LineaBuild and @zksync can rest assured.

We apologize to all affected partners and users and are working diligently with various security partners to resolve the… pic.twitter.com/rfeqIwmMJX

— Velocore | veDEX on zkSync Era / Linea ▪️ (@velocorexyz) June 2, 2024

The team also highlighted the hacker(s) anonymity tactic by sourcing funds from the crypto mixing tool Tornado Cash before executing the exploit and depositing them back into the mixer to obfuscate their trail.

Velocore emphasized that the root cause of the hack has also been identified, and additional measures have been deployed to prevent copycats from launching similar attacks.

What was the Velocore Hack?

The cyberattack on Velocore, a decentralized exchange, was initiated by exploiting vulnerabilities within the logic governing its smart contracts, particularly within the Balancer-style CPMM pool contract.

The hacker capitalized on weaknesses within Velocore’s fee calculation logic and withdrawal mechanisms, manipulating the exchange’s volatile pools. This manipulation created a false impression of increased liquidity, allowing the attacker to withdraw an excessive amount of funds.

Velocore confirmed that the hack impacted all volatile pools (CPMM) in Linea and zkSyncEra Velocore, while stable pools remained unaffected. Although Telos Velocore shared similar vulnerabilities, proactive measures were taken to prevent exploitation.

In response to the incident, Velocore announced its commitment to implementing a suitable compensation plan for affected users upon the resumption of operations, aiming to mitigate the financial losses incurred.

On the Flipside

• The NORMIE memecoin project fell victim to a similar ETH attack on May 27, 2024.
• Affected users are urged to remain cautious in the aftermath of the hack to avoid falling victim to phishing scams imitating Velocore hack refunds.

Why This Matters

The cyberattack on Velocrore caused significant losses for the exchange and its users, and a 90% refund could help the firm recoup its losses and make affected users whole.

Read more about the similar Normie Cyberattack in May
ETH Exploit Sends NORMIE Down 98%, Hacker to Return Funds? 

Here’s how Hong Kong is tightening regulatory requirements:
Hong Kong Shuts Out Unlicensed Exchanges as Deadline Expires