Velocore Hack

On June 2, 2024, Velocore, a decentralized exchange operating across the Telos, zkSync Era, and Linea blockchains, experienced a severe security breach resulting in the theft of approximately $7.6 million. The exploit stemmed from an integer overflow vulnerability within Velocore’s smart contract logic governing liquidity pools. Attackers manipulated the overflow to make a minimal withdrawal appear as a massive deposit, enabling them to drain funds from volatile pools on zkSync Era and Linea.

The attacker initially funded the operation via Tornado Cash and converted the stolen assets into 1,406 ETH and 1.54 million USDT. Using the Across Protocol, they bridged the funds to Ethereum, later converting the USDT into an additional 401.13 ETH, and ultimately funneled 1,807 ETH (valued at approximately $6.9 million) back to Tornado Cash to obscure their trail.

Despite having undergone multiple audits, the integer overflow vulnerability went undetected. In response, Velocore issued a public apology, disabled the compromised logic, and announced a compensation plan based on a blockchain snapshot taken before the attack. The Linea blockchain controversially paused block production temporarily in an effort to limit the exploit’s impact—though it failed to prevent the full extent of the loss.

This incident underscores the critical need for rigorous smart contract audits, safe programming practices including the use of larger data types, and proactive measures to mitigate common vulnerabilities like integer overflows in DeFi protocols.