A flaw in the smart contracts that oversee Velocore’s liquidity pools allows for $6.8 million to be stolen from the decentralized exchange. By the way, the exchange runs on the zkSync, Era, and Linea blockchains in addition to the Telos.
An exploit in the overflow logic allowed a hacker to trick Velocore into depositing a large amount rather than a modest one. The user’s usage of a flash loan, which jeopardized the exchange’s unstable pools on zkSyncEra and Linea, enabled this. Still, the group members took care to protect their resources on Telos. The stable pools remained secure.
We tried a lot of audits and put safety measures in place, but we couldn’t stop it from happening. Velcro contacted its users right away to reassure them that all necessary steps will be done to resolve the problem. To stop another incident, they have taken the initiative to deactivate the logic fault that is being attributed to the attack in the meantime.
In an attempt to partially offset the loss, the ConsenSys-created Linea Ethereum Layer 2 network has temporarily suspended block generation. Additionally, the sequencer has been turned off to stop any more money from being siphoned off. As a result, they came to the conclusion that this was their last attempt to safeguard their users’ interests.
It is well known that in order to safeguard ecosystem participants, Linea depends on centralized technical operations. Since the primary feature of Linea is a censorship-free, permissionless environment, this was an essential choice to make.
The hacker has not replied to Velocore’s offer of a 10% bounty for being able to redeem the remaining monies. It appears that the hacker has used Tornado Cash to dump about 1,700 ETH, or $7 million.
In the interim, the exchange has communicated with its users to give them confidence that they would be fairly compensated.