Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/velocorefaultypoolexecutionlogic.php}} {{Unattributed Sources}} Velocore Logo/HomepageVelocore offers a complex layer 2 solution, which includes decentralized exchanges between different token pairs. A vulnerability in the liquidity pools backing the swaps allowed for an attacker to execute swaps and increase the fee beyond 100%. Once the fee was beyond 100%,..."

2024-09-17T19:30:18Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/velocorefaultypoolexecutionlogic.php}} {{Unattributed Sources}} thumb|Velocore Logo/HomepageVelocore offers a complex layer 2 solution, which includes decentralized exchanges between different token pairs. A vulnerability in the liquidity pools backing the swaps allowed for an attacker to execute swaps and increase the fee beyond 100%. Once the fee was beyond 100%,..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/velocorefaultypoolexecutionlogic.php}}
{{Unattributed Sources}}

[[File:Velocore.jpg|thumb|Velocore Logo/Homepage]]Velocore offers a complex layer 2 solution, which includes decentralized exchanges between different token pairs. A vulnerability in the liquidity pools backing the swaps allowed for an attacker to execute swaps and increase the fee beyond 100%. Once the fee was beyond 100%, a flash loan allowed the attacker to scoop up most of the tokens and contracts in the pool. The attacker was offered a 10% bounty. They have a chance to remain anonymous as they both sent and received funds via TornadoCash.<ref name="rektnews-14107" /><ref name="juliahexicantwitter-14108" /><ref name="officerciatwitter-14109" /><ref name="velocorexyzmedium-14110" /><ref name="beincrypto-14111" /><ref name="velocoregithub-14112" /><ref name="lineascan-14113" /><ref name="lineascan-14114" /><ref name="zksyncexplorer-14115" /><ref name="velocore-14116" /><ref name="unnamed-14553" />

== About Velocore ==
"As the zkSync era is still in its early stages, major protocols may receive incentives or airdrops during the TGE. ZkSync is an even bigger project than Arbitrum, and we're eager to give back to our early supporters. Let's build the ecosystem in the zkSync era together!"

"Drawing inspiration from Andre Cronje's Solidly, Velocore adopts an innovative perspective on the voting-escrow paradigm. The core of Velocore integrates an exponential decay mechanism, guaranteeing a resilient token model for the foreseeable future. The VC framework prioritizes rewarding long-term proponents and harmonizes stakeholder interests by encouraging fee generation."

"Embrace the future of DeFi with Velocore by participating in the launchpad for the cutting-edge DeFi protocol in zkSync Mainnet Era" "At Velocore, we empower visionaries like you to fuel groundbreaking innovations and create limitless opportunities."

== The Reality ==
"The velo in Velocore proved too fast and furious, as the L2 DEX lost over $6.8 million in a devastating exploit on June 2nd across its pools on Linea and zkSync."

"The primary cause of the incident was faulty logic within the ‘velocore__execute()’ function of the ConstantProductPool. When a user makes a swap on Velocore, the Vault contract makes an external call to this function to calculate the result of the swap."

== What Happened ==
"According to the post-mortem from Velocore, the attacker sourced funds from Tornado Cash, bridged over to execute the dastardly exploit, and then deposited the ill-gotten gains back into Tornado Cash."
{| class="wikitable"
|+Key Event Timeline - Velocore Faulty Pool Execution Logic
!Date
!Event
!Description
|-
|June 1st, 2024 4:21:29 PM MDT
|Linea Attack Transaction
|The first attack transaction on the Linea blockchain.
|-
|June 1st, 2024 4:37:29 PM MDT
|Linea Attack Transaction
|The second attack transaction on the Linea blockchain.
|-
|June 1st, 2024 4:38:00 PM MDT
|ZKSync Transaction
|The ZKSync transaction associated.
|-
|June 1st, 2024 6:52:00 PM MDT
|Hack Tweet Reported
|The attack is reported on Twitter by user officer_cia, and estimated at $10m lost.
|-
|June 2nd, 2024 1:22:00 AM MDT
|BeInCrypto Article
|BeInCrypto publishes a report on the exploit having happened.
|-
|June 2nd, 2024 9:30:42 AM MDT
|Post-Mortem Published
|The Velocore team publishes a post-mortem report on Medium.
|-
|June 2nd, 2024 12:09:00 PM MDT
|Centralization Concerns
|Centralization concerns are discussed after the Linea blockchain was shut down over the hack.
|}

== Technical Details ==
"The flurry of transactions started with the attacker directly invoking velocore__execute() to simulate huge withdrawals and jack up the feeMultiplier. With that jacked-up multiplier inflating effectiveFee1e9 past 100%, the villain executed a flash loan to scoop up most of the tokens and contract the pool.

Finally, a small single-token withdrawal minted an egregiously large amount of liquidity tokens due to an underflow error, allowing the drainer to easily repay the flash loan and skip town with $6.8 million in ETH.

According to an analysis of the incident from Beosin, the LP Pool lacks permission verification. The attacker directly invoke the velocore__execute function (0xec378808) of the LP contract with a carefully constructed parameter to manipulate the feeMultiplier parameter of the contract."

== Total Amount Lost ==
Most sources $10m. Velocore postmortem approximating $6.8 million in ETH.

The total amount lost has been estimated at $6,800,000 USD.

== Immediate Reactions ==
"The hack led the Linea team to halt block production, which has since resumed."

"Velocore has offered a 10% bug bounty to the hacker, who has yet to respond."

"We received a critical security alert from Cyvers after the first Linea exploit. Since we revoked our admin rights from the vault last year, we couldn’t upgrade the proxy to completely block transactions. Instead, we implemented a semi-pause function by setting the fee to the maximum, which would interrupt swaps while allowing withdrawals in case of an emergency. However, in this case, the proper mitigation was to set the fee to 0%, not to max. Unfortunately, we realized this only after reverse-engineering the transactions, and by then, it was too late.

To mitigate the issue and prevent further damage, we have set the fee to 0 for all pools. Consequently, the ‘effectiveFee1e9’ value will always be 0, effectively disabling the vulnerability described above. This measure ensures that the exploit cannot be leveraged anymore."

== Ultimate Outcome ==
"In light of the recent incident impacting our protocol, Velocore is committed to taking comprehensive measures to resolve the situation and ensure the security and trust of our users.
We are actively investigating to track down hackers while trying the on-chain negotiation, having requested cooperation from various protocols and central exchanges to investigate the attacker’s activities. We are also in close communication with our security partners and foundations. Based on the results of these investigations and our collaboration with partners, we will continuously adjust our future plans.
For those affected, we have taken a snapshot of the blockchain state prior to the incident. Once operations resume, we will implement an appropriate compensation plan to address the losses incurred to our users. We understand the importance of transparency and fairness in these times and are dedicated to providing clear and effective solutions.
Our goal is not only to resolve this issue but also to enhance the protocol’s security measures, rebuild trust, and minimize the damage."

== Total Amount Recovered ==
The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="rektnews-14107">[https://rekt.news/velocore-rekt/ Rekt - Velocore - Rekt] (Accessed Jun 3, 2024)</ref>

<ref name="juliahexicantwitter-14108">[https://twitter.com/Julia_Hexican/status/1797329629704810719 @Julia_Hexican Twitter] (Accessed Jun 3, 2024)</ref>

<ref name="officerciatwitter-14109">[https://twitter.com/officer_cia/status/1797068809959854340 @officer_cia Twitter] (Accessed Jun 3, 2024)</ref>

<ref name="velocorexyzmedium-14110">[https://velocorexyz.medium.com/velocore-incident-post-mortem-6197020ec3e9 Velocore Incident Post Mortem] (Accessed Jun 3, 2024)</ref>

<ref name="beincrypto-14111">[https://beincrypto.com/velocore-decentralized-exchange-10-million-hack/ $10 Million Hack Hits Decentralized Exchange Velocore] (Accessed Jun 3, 2024)</ref>

<ref name="velocoregithub-14112">[https://github.com/velocore/velocore-contracts/blob/master/src/pools/constant-product/ConstantProductPool.sol velocore-contracts/src/pools/constant-product/ConstantProductPool.sol at master · velocore/velocore-contracts · GitHub] (Accessed Jun 3, 2024)</ref>

<ref name="lineascan-14113">[https://lineascan.build/tx/0xed11d5b013bf3296b1507da38b7bcb97845dd037d33d3d1b0c5e763889cdbed1 Linea Mainnet Transaction Hash (Txhash) Details | LineaScan] (Accessed Jun 3, 2024)</ref>

<ref name="lineascan-14114">[https://lineascan.build/tx/0x37434e674efc4e7cfeed7746095301ace5636028906fe548b786ead286e35eb0 Linea Mainnet Transaction Hash (Txhash) Details | LineaScan] (Accessed Jun 3, 2024)</ref>

<ref name="zksyncexplorer-14115">[https://explorer.zksync.io/tx/0x4156d73cadc18419220f5bcf10deb4d97a3d3f7533d63ba90daeabc5fd11ba17 zkSync Era Block Explorer] (Accessed Jun 3, 2024)</ref>

<ref name="velocore-14116">[https://velocore.xyz/ Velocore] (Accessed Jun 3, 2024)</ref>

<ref name="unnamed-14553">[https://x.com/ChainAegis/status/1797107667397427570 x.com] (Accessed Jul 3, 2024)</ref></references>

Velocore Faulty Pool Execution Logic - Revision history