Velocore Faulty Pool Execution Logic

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 13:30, 17 September 2024 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/velocorefaultypoolexecutionlogic.php}} {{Unattributed Sources}} thumb|Velocore Logo/HomepageVelocore offers a complex layer 2 solution, which includes decentralized exchanges between different token pairs. A vulnerability in the liquidity pools backing the swaps allowed for an attacker to execute swaps and increase the fee beyond 100%. Once the fee was beyond 100%,...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Velocore Logo/Homepage

Velocore offers a complex layer 2 solution, which includes decentralized exchanges between different token pairs. A vulnerability in the liquidity pools backing the swaps allowed for an attacker to execute swaps and increase the fee beyond 100%. Once the fee was beyond 100%, a flash loan allowed the attacker to scoop up most of the tokens and contracts in the pool. The attacker was offered a 10% bounty. They have a chance to remain anonymous as they both sent and received funds via TornadoCash.[1][2][3][4][5][6][7][8][9][10][11]

About Velocore

"As the zkSync era is still in its early stages, major protocols may receive incentives or airdrops during the TGE. ZkSync is an even bigger project than Arbitrum, and we're eager to give back to our early supporters. Let's build the ecosystem in the zkSync era together!"

"Drawing inspiration from Andre Cronje's Solidly, Velocore adopts an innovative perspective on the voting-escrow paradigm. The core of Velocore integrates an exponential decay mechanism, guaranteeing a resilient token model for the foreseeable future. The VC framework prioritizes rewarding long-term proponents and harmonizes stakeholder interests by encouraging fee generation."

"Embrace the future of DeFi with Velocore by participating in the launchpad for the cutting-edge DeFi protocol in zkSync Mainnet Era" "At Velocore, we empower visionaries like you to fuel groundbreaking innovations and create limitless opportunities."

The Reality

"The velo in Velocore proved too fast and furious, as the L2 DEX lost over $6.8 million in a devastating exploit on June 2nd across its pools on Linea and zkSync."

"The primary cause of the incident was faulty logic within the ‘velocore__execute()’ function of the ConstantProductPool. When a user makes a swap on Velocore, the Vault contract makes an external call to this function to calculate the result of the swap."

What Happened

"According to the post-mortem from Velocore, the attacker sourced funds from Tornado Cash, bridged over to execute the dastardly exploit, and then deposited the ill-gotten gains back into Tornado Cash."

Key Event Timeline - Velocore Faulty Pool Execution Logic
Date Event Description
June 1st, 2024 4:21:29 PM MDT Linea Attack Transaction The first attack transaction on the Linea blockchain.
June 1st, 2024 4:37:29 PM MDT Linea Attack Transaction The second attack transaction on the Linea blockchain.
June 1st, 2024 4:38:00 PM MDT ZKSync Transaction The ZKSync transaction associated.
June 1st, 2024 6:52:00 PM MDT Hack Tweet Reported The attack is reported on Twitter by user officer_cia, and estimated at $10m lost.
June 2nd, 2024 1:22:00 AM MDT BeInCrypto Article BeInCrypto publishes a report on the exploit having happened.
June 2nd, 2024 9:30:42 AM MDT Post-Mortem Published The Velocore team publishes a post-mortem report on Medium.
June 2nd, 2024 12:09:00 PM MDT Centralization Concerns Centralization concerns are discussed after the Linea blockchain was shut down over the hack.

Technical Details

"The flurry of transactions started with the attacker directly invoking velocore__execute() to simulate huge withdrawals and jack up the feeMultiplier. With that jacked-up multiplier inflating effectiveFee1e9 past 100%, the villain executed a flash loan to scoop up most of the tokens and contract the pool.

Finally, a small single-token withdrawal minted an egregiously large amount of liquidity tokens due to an underflow error, allowing the drainer to easily repay the flash loan and skip town with $6.8 million in ETH.

According to an analysis of the incident from Beosin, the LP Pool lacks permission verification. The attacker directly invoke the velocore__execute function (0xec378808) of the LP contract with a carefully constructed parameter to manipulate the feeMultiplier parameter of the contract."

Total Amount Lost

Most sources $10m. Velocore postmortem approximating $6.8 million in ETH.

The total amount lost has been estimated at $6,800,000 USD.

Immediate Reactions

"The hack led the Linea team to halt block production, which has since resumed."

"Velocore has offered a 10% bug bounty to the hacker, who has yet to respond."

"We received a critical security alert from Cyvers after the first Linea exploit. Since we revoked our admin rights from the vault last year, we couldn’t upgrade the proxy to completely block transactions. Instead, we implemented a semi-pause function by setting the fee to the maximum, which would interrupt swaps while allowing withdrawals in case of an emergency. However, in this case, the proper mitigation was to set the fee to 0%, not to max. Unfortunately, we realized this only after reverse-engineering the transactions, and by then, it was too late.

To mitigate the issue and prevent further damage, we have set the fee to 0 for all pools. Consequently, the ‘effectiveFee1e9’ value will always be 0, effectively disabling the vulnerability described above. This measure ensures that the exploit cannot be leveraged anymore."

Ultimate Outcome

"In light of the recent incident impacting our protocol, Velocore is committed to taking comprehensive measures to resolve the situation and ensure the security and trust of our users. We are actively investigating to track down hackers while trying the on-chain negotiation, having requested cooperation from various protocols and central exchanges to investigate the attacker’s activities. We are also in close communication with our security partners and foundations. Based on the results of these investigations and our collaboration with partners, we will continuously adjust our future plans. For those affected, we have taken a snapshot of the blockchain state prior to the incident. Once operations resume, we will implement an appropriate compensation plan to address the losses incurred to our users. We understand the importance of transparency and fairness in these times and are dedicated to providing clear and effective solutions. Our goal is not only to resolve this issue but also to enhance the protocol’s security measures, rebuild trust, and minimize the damage."

Total Amount Recovered

The total amount recovered is unknown.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Rekt - Velocore - Rekt (Accessed Jun 3, 2024)
  2. @Julia_Hexican Twitter (Accessed Jun 3, 2024)
  3. @officer_cia Twitter (Accessed Jun 3, 2024)
  4. Velocore Incident Post Mortem (Accessed Jun 3, 2024)
  5. $10 Million Hack Hits Decentralized Exchange Velocore (Accessed Jun 3, 2024)
  6. velocore-contracts/src/pools/constant-product/ConstantProductPool.sol at master · velocore/velocore-contracts · GitHub (Accessed Jun 3, 2024)
  7. Linea Mainnet Transaction Hash (Txhash) Details | LineaScan (Accessed Jun 3, 2024)
  8. Linea Mainnet Transaction Hash (Txhash) Details | LineaScan (Accessed Jun 3, 2024)
  9. zkSync Era Block Explorer (Accessed Jun 3, 2024)
  10. Velocore (Accessed Jun 3, 2024)
  11. x.com (Accessed Jul 3, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Velocore_Faulty_Pool_Execution_Logic&oldid=6001"