The decentralized finance (DeFi) space faces another security challenge after a hacker stole over $7 million worth of Ethereum (ETH) from Velocore, a decentralized exchange (DEX) built on zkSync and Linea blockchains, on June 2nd, 2024. This incident raises concerns about the safety of user funds within the rapidly evolving DeFi ecosystem.
Alert cyber threat researcher Officer’s Notes first identified the exploit, which compromised Velocore’s liquidity provider tokens, crucial for facilitating exchange operations. The attacker managed to siphon off over 1700 ETH, valued at more than $7 million, and transferred them to the Ethereum mainnet.
Hacker Employed Mixing Services to Mask Trail
The stolen funds were initially obtained through Tornado Cash, a service known for enhancing transaction privacy. The attacker then routed them through Across Bridge before funneling them back into Tornado Cash, effectively anonymizing their movement. This swift action highlights the challenges DeFi platforms face in tracking and recovering stolen assets.
Despite undergoing security audits by Zokyo, Hacken, and Scalebit, Velocore’s defenses were breached. Fortunately, the exploit only affected the platform’s volatile pools, leaving stablecoin reserves unharmed and allowing users to safely withdraw their holdings.
Velocore Fights Back: Collaboration and Negotiation
Velocore is actively working with cybersecurity experts and collaborating with centralized exchanges (CEXs) to freeze the stolen funds and prevent further losses. The team has identified the exploit’s nature and is currently in communication with the attacker. In a bid to recover the remaining funds, Velocore has offered a 10% bug bounty for their return by June 3rd, 8:00 UTC. As of now, the hacker has yet to respond.
The hack sent shockwaves through the Velocore ecosystem, with its native token, VC, plummeting to its lowest price point. However, the token has shown signs of recovery and is currently trading at $0.004127.
Limited Impact on Underlying Blockchains
While the attack undoubtedly impacted Velocore, the zkSync and Linea blockchains themselves saw minimal disruption. Both networks maintained healthy transaction throughput and address activity throughout the ordeal. This underscores the resilience of blockchain technology but emphasizes the need for robust security measures on DeFi protocols built on top of them.
Velocore has pledged to compensate affected users through a post-mortem report. This incident serves as a stark reminder for DeFi users to prioritize platforms with rigorous security practices and conduct thorough research before entrusting their funds to any exchange.
Disclaimer: The information in this article is for general purposes only and does not constitute financial advice. The author’s views are personal and may not reflect the views of Chain Affairs. Before making any investment decisions, you should always conduct your own research. Chain Affairs is not responsible for any financial losses.