The decentralized exchange Velocore confirmed a breach on its platform on June 2, during which attackers stole ethereum tokens worth an estimated $6.8 to $10 million. The Velocore team is actively pursuing the hackers and is open to negotiating a settlement.
The decentralized exchange Velocore on Zksync and Linea has acknowledged that hackers breached its platform on June 2. In a statement confirming the breach, the Velocore team estimated the financial losses incurred at around $6.8 million worth of ETH. However, earlier reports suggested that hackers may have stolen users’ liquidity provider tokens worth up to $10 million.
In a post-mortem shared via a blog, the Velocore team revealed that the attackers exploited vulnerabilities within the Balancer-style CPMM pool contract, which forced the platform to freeze operations. The team added:
The attacker sourced funds from Tornado, executed the exploit, bridged the funds with Across Bridge, and then deposited them back into Tornado.
To address the situation, the Velocore team implemented a semi-pause function by setting the fee to the maximum. This measure was intended to interrupt swaps while still allowing withdrawals in case of an emergency.
However, the team later acknowledged that the proper mitigation strategy had set the fee to 0%, rather than the maximum. Unfortunately, by the time this realization occurred, it was already too late.
Meanwhile, the Velocore team is actively pursuing the hackers responsible for the incident. They are also engaged in negotiations to reach a settlement.
Additionally, the Velocore team said it is in communication with security partners and foundations. The team emphasizes that these steps will guide their approach as they navigate the aftermath of the decentralized exchange platform breach.
For users impacted by the hacking incident, the team has committed to implementing an appropriate compensation plan to address their losses when operations resume.