Verify a decision

{"actor":"system:backfill","investigation_id":"97fb395d-ef2e-4331-a3fa-e006da5418c2","kind":"publish","page_slug":"velocore","published_at":"2026-05-31T07:00:23.849Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Velocore DEX","sections":[{"content":"On June 2, 2024, Velocore's Balancer-style CPMM (Constant Product Market Maker) pool contract was exploited via a fee calculation overflow vulnerability. The attacker directly invoked the unguarded velocore__execute() function to simulate massive withdrawals, artificially inflating the internal feeMultiplier parameter to a value exceeding 100% (1e9 units). The attacker then obtained LP tokens via a flash loan and withdrew the majority of pool reserves, contracting pool size. A final small single-token withdrawal triggered an integer underflow, minting an abnormally large number of LP tokens. These tokens were used to repay the flash loan and exit with approximately 1,807 ETH, valued at roughly $6.8–6.9 million at the time. All volatile CPMM pools on both zkSync Era and Linea deployments were affected; stable pools were not. The attacker address is 0x8cdc37ed79c5ef116b9dc2a53cb86acaca3716bf. Funds were intermediated through address 0xe4062fcade7ac0ed47ad794028967a2314ee02b3 before being bridged to Ethereum mainnet via Across Protocol and deposited into Tornado Cash.","heading":"June 2024 Smart Contract Exploit","severity":"critical","sources":[{"credibility":2,"name":"Rekt News — Velocore Rekt","type":"news_article","url":"https://rekt.news/velocore-rekt/"},{"credibility":2,"name":"Merkle Science — Investigating the Velocore Hack and Flow of Funds","type":"research","url":"https://www.merklescience.com/blog/investigating-the-velocore-hack-and-flow-of-funds"},{"credibility":2,"name":"Vibranium Audits — Velocore's $6.8 Million Exploit","type":"research","url":"https://www.vibraniumaudits.com/post/velocores-6-8-million-exploit-fast-and-furious-losses-in-crypto"}]},{"content":"The root cause was a logic flaw in the velocore__execute() function governing fee rate calculation. The function lacked caller verification and permitted effectiveFee1e9 to exceed 100%, a condition that should have been bounded. Despite the critical nature of this flaw, Velocore V2 had undergone three independent security audits conducted by Zokyo, Hacken, and Scalebit, all completed in August 2023 prior to launch. None of the three audits identified the fee manipulation vector that was ultimately exploited. This failure highlights the well-documented gap between audit scope and actual exploit surface in DeFi protocols. The exploitable function was part of Velocore's custom extension of Balancer-style pool logic, which deviated from the battle-tested Velodrome/Solidly base contracts.","heading":"Vulnerability Root Cause and Audit Failure","severity":"critical","sources":[{"credibility":1,"name":"Velocore Docs — Three Rounds of Audits","type":"official","url":"https://docs.velocore.xyz/security-and-contract-address/three-rounds-of-audits"},{"credibility":2,"name":"Hacken — Velocore Audits","type":"research","url":"https://hacken.io/audits/velocore/"},{"credibility":2,"name":"Rekt News — Velocore Rekt","type":"news_article","url":"https://rekt.news/velocore-rekt/"}]},{"content":"Post-exploit fund tracing conducted by Merkle Science established the following flow: the attacker pre-funded the exploit wallet from Tornado Cash, executed the drain across both the Linea and zkSync Era deployments, converted the stolen assets into approximately 1,406 ETH and 1.54 million USDT, bridged the funds to Ethereum mainnet via Across Protocol, converted the USDT into an additional 401.13 ETH, and then consolidated the total approximately 1,807 ETH (roughly $6.9 million) back into Tornado Cash. Velocore offered a 10% white-hat bounty (approximately $680,000) via an on-chain message to the attacker and requested cooperation from exchanges and bridges to trace activity. As of available reporting, the attacker has not responded and no funds have been recovered.","heading":"Fund Flow and Laundering via Tornado Cash","severity":"critical","sources":[{"credibility":2,"name":"Merkle Science — Investigating the Velocore Hack and Flow of Funds","type":"on_chain","url":"https://www.merklescience.com/blog/investigating-the-velocore-hack-and-flow-of-funds"},{"credibility":2,"name":"Coinspeaker — Velocore DEX Offers Exploiter 10% White Hat Bounty","type":"news_article","url":"https://www.coinspeaker.com/velocore-dex-white-hat-bounty-hack/"},{"credibility":2,"name":"The Block — Velocore Addresses $7M Hack In Postmortem","type":"news_article","url":"https://www.theblock.co/post/298032/decentralized-exchange-velocore-addresses-7-million-hack-in-postmortem-offers-bounty-to-hacker"}]},{"content":"Following the exploit, Consensys-operated Linea unilaterally paused block production at blocks 5081800–5081801 to prevent additional ETH from being bridged out and to censor the attacker's addresses. Linea stated that the hacker had been converting stolen assets into ETH at a rate that threatened broader ecosystem stability. The decision drew immediate criticism from prominent industry figures. Helius Labs CEO Mert Mumtaz stated that Consensys had 'unilaterally turned off the chain' and characterized it as 'not crypto.' Matter Labs CEO Alex Gluchowski called sequencer decentralization 'not optional' for serious L2 stacks. Linea acknowledged its network was in a 'training wheels' phase and committed to eventual sequencer decentralization, stating that once fully decentralized, its team would 'no longer have the ability to halt block production and censor addresses.' The incident crystallized broader concerns about the degree of centralized control retained by L2 operators during the current phase of rollup development.","heading":"Linea Sequencer Halt and Centralization Controversy","severity":"high","sources":[{"credibility":2,"name":"CryptoSlate — Linea Under Scrutiny for Unilateral Block Production Halt","type":"news_article","url":"https://cryptoslate.com/linea-under-scrutiny-for-unilateral-block-production-halt-amid-velocore-hack/"},{"credibility":2,"name":"Unchained Crypto — Consensys Linea Briefly Halts Block Production","type":"news_article","url":"https://unchainedcrypto.com/consensys-linea-briefly-halts-block-production-after-6-8-million-velocore-dex-exploit/"},{"credibility":2,"name":"The Block — Linea Reaffirms Decentralization Plan After Halt","type":"news_article","url":"https://www.theblock.co/amp/post/298062/linea-decentralization-velocore-hack"},{"credibility":2,"name":"The Defiant — Linea Halts Network After Velocore Exploit","type":"news_article","url":"https://thedefiant.io/news/defi/linea-halts-network-after-velocore-exploit"}]},{"content":"Velocore published a post-mortem on Medium acknowledging the exploit and expressing apologies to affected users. The team stated it had disabled the vulnerable logic to prevent copycat attacks, taken a pre-exploit on-chain snapshot for use in a future compensation plan, and was investigating attacker activity in coordination with exchanges and blockchain analytics providers. As of available reporting, no concrete compensation mechanism had been publicly delivered. The protocol's website at velocore-v2.com remained accessible following the incident, but TVL on both zkSync Era and Linea deployments was effectively eliminated as a result of the pool drains. The VC governance token's market capitalization suffered significant decline in the wake of the exploit.","heading":"Protocol Response and Compensation","severity":"high","sources":[{"credibility":1,"name":"Velocore — Incident Post-Mortem (Medium)","type":"official","url":"https://velocorexyz.medium.com/velocore-incident-post-mortem-6197020ec3e9"},{"credibility":2,"name":"Crypto Daily — Velocore Addresses $7M Hack, Offers 10% White Hat Bounty","type":"news_article","url":"https://cryptodaily.co.uk/2024/06/velocore-addresses-7m-hack-in-postmortem-offers-10-white-hat-bounty"},{"credibility":2,"name":"Web3 Is Going Great — Velocore Hack","type":"community_report","url":"https://www.web3isgoinggreat.com/?id=velocore-hack"}]},{"content":"Velocore's founding team has not publicly disclosed named identities. The project's official X account (@velocorexyz) and Medium blog represent the primary public-facing communications channels, and no named founders, lead developers, or executives have been identified in available reporting. The anonymous team structure limits accountability in the context of the June 2024 exploit: affected liquidity providers have no identifiable individuals to pursue for negligence or restitution. The ve(3,3) governance model, while theoretically community-controlled, concentrated effective protocol decision-making in an undisclosed development team prior to and during the exploit response.","heading":"Anonymous Team and Governance Risk","severity":"medium","sources":[{"credibility":1,"name":"Velocore Official X Account","type":"official","url":"https://x.com/velocorexyz"},{"credibility":2,"name":"CryptoRank — Velocore Review","type":"research","url":"https://cryptorank.io/news/feed/28b10-207391-velocore-review"}]},{"content":"Following the June 2024 exploit, Velocore's TVL across zkSync Era and Linea was effectively zeroed. The protocol website remained online as of available reporting, and the team indicated intention to resume operations with a compensation plan for affected users. However, no verified evidence of a meaningful TVL recovery or active development resumption has emerged in subsequent months. DefiLlama maintains separate entries for Velocore V1 and Velocore V2, reflecting the multi-phase deployment history. The incident, combined with the absence of fund recovery and an undisclosed team, represents significant barriers to user confidence recovery.","heading":"Protocol Status Post-Exploit","severity":"high","sources":[{"credibility":2,"name":"DefiLlama — Velocore V2","type":"on_chain","url":"https://defillama.com/protocol/velocore-v2"},{"credibility":2,"name":"DefiLlama — Velocore Hacks Database","type":"on_chain","url":"https://defillama.com/hacks"}]}],"sources_used":[{"name":"Rekt News — Velocore Rekt","type":"news_article","url":"https://rekt.news/velocore-rekt/"},{"name":"Velocore — Incident Post-Mortem (Medium)","type":"official","url":"https://velocorexyz.medium.com/velocore-incident-post-mortem-6197020ec3e9"},{"name":"The Block — Velocore Addresses $7M Hack","type":"news_article","url":"https://www.theblock.co/post/298032/decentralized-exchange-velocore-addresses-7-million-hack-in-postmortem-offers-bounty-to-hacker"},{"name":"The Block — Linea Reaffirms Decentralization Plan","type":"news_article","url":"https://www.theblock.co/amp/post/298062/linea-decentralization-velocore-hack"},{"name":"Unchained Crypto — Linea Halts Block Production","type":"news_article","url":"https://unchainedcrypto.com/consensys-linea-briefly-halts-block-production-after-6-8-million-velocore-dex-exploit/"},{"name":"CryptoSlate — Linea Under Scrutiny","type":"news_article","url":"https://cryptoslate.com/linea-under-scrutiny-for-unilateral-block-production-halt-amid-velocore-hack/"},{"name":"The Defiant — Linea Halts Network","type":"news_article","url":"https://thedefiant.io/news/defi/linea-halts-network-after-velocore-exploit"},{"name":"Merkle Science — Velocore Hack Flow of Funds","type":"research","url":"https://www.merklescience.com/blog/investigating-the-velocore-hack-and-flow-of-funds"},{"name":"Vibranium Audits — Velocore $6.8M Exploit Analysis","type":"research","url":"https://www.vibraniumaudits.com/post/velocores-6-8-million-exploit-fast-and-furious-losses-in-crypto"},{"name":"Neptune Mutual — Closer Look at Velocore Exploit","type":"research","url":"https://neptunemutual.com/blog/taking-a-closer-look-at-velocore-exploit/"},{"name":"Velocore Docs — Three Rounds of Audits","type":"official","url":"https://docs.velocore.xyz/security-and-contract-address/three-rounds-of-audits"},{"name":"Hacken — Velocore Audits","type":"research","url":"https://hacken.io/audits/velocore/"},{"name":"Coinspeaker — Velocore White Hat Bounty","type":"news_article","url":"https://www.coinspeaker.com/velocore-dex-white-hat-bounty-hack/"},{"name":"Web3 Is Going Great — Velocore Hack","type":"community_report","url":"https://www.web3isgoinggreat.com/?id=velocore-hack"},{"name":"DefiLlama — Velocore V2","type":"on_chain","url":"https://defillama.com/protocol/velocore-v2"},{"name":"Crypto Daily — Velocore White Hat Bounty","type":"news_article","url":"https://cryptodaily.co.uk/2024/06/velocore-addresses-7m-hack-in-postmortem-offers-10-white-hat-bounty"},{"name":"Smart Contract Hacking — Velocore V2 Hack 2024","type":"research","url":"https://smartcontractshacking.com/hacks/velocore-v2-hack-2024"}],"summary":"Velocore was a ve(3,3) decentralized exchange deployed on zkSync Era and Linea that suffered a critical smart contract exploit on June 2, 2024, resulting in the theft of approximately $6.8 million in ETH. A vulnerability in the protocol's Balancer-style CPMM pool fee calculation logic allowed an attacker to manipulate the feeMultiplier parameter beyond 100%, enabling draining of all volatile liquidity pools. Stolen funds were laundered through Tornado Cash with no recovery, and the hack triggered a controversial unilateral block production halt by Linea's sequencer operator Consensys.","timeline":[{"date":"2023-04-01","event":"Velocore launches as the first ve(3,3) DEX on zkSync Era mainnet.","source":"Velocore Medium","source_url":"https://velocorexyz.medium.com/velocore-comes-to-zksync-era-6dbb6148ae7f"},{"date":"2023-08-01","event":"Velocore V2 completes three security audits by Zokyo, Hacken, and Scalebit.","source":"Velocore Docs","source_url":"https://docs.velocore.xyz/security-and-contract-address/three-rounds-of-audits"},{"date":"2023-05-28","event":"Velocore announces V2 expansion to Linea, describing it as independent from the zkSync Era deployment.","source":"Velocore Medium","source_url":"https://velocorexyz.medium.com/stepping-into-the-future-velocore-v2-launches-on-linea-319a69f0a692"},{"date":"2024-06-02","event":"Exploit occurs: attacker manipulates CPMM fee calculation via velocore__execute(), drains all volatile pools on zkSync Era and Linea. Approximately 1,807 ETH (~$6.8–6.9M) stolen.","source":"Rekt News","source_url":"https://rekt.news/velocore-rekt/"},{"date":"2024-06-02","event":"Linea (Consensys) halts block production and censors attacker addresses to prevent further bridging of stolen funds.","source":"CryptoSlate","source_url":"https://cryptoslate.com/linea-under-scrutiny-for-unilateral-block-production-halt-amid-velocore-hack/"},{"date":"2024-06-02","event":"Attacker bridges stolen funds from zkSync Era and Linea to Ethereum mainnet via Across Protocol, converting to ~1,807 ETH total before depositing into Tornado Cash.","source":"Merkle Science","source_url":"https://www.merklescience.com/blog/investigating-the-velocore-hack-and-flow-of-funds"},{"date":"2024-06-03","event":"Velocore publishes incident post-mortem, offers 10% white-hat bounty (~$680K) to attacker for return of funds. Attacker does not respond.","source":"The Block","source_url":"https://www.theblock.co/post/298032/decentralized-exchange-velocore-addresses-7-million-hack-in-postmortem-offers-bounty-to-hacker"},{"date":"2024-06-05","event":"Linea reaffirms decentralization roadmap following widespread criticism over its unilateral sequencer halt.","source":"The Block","source_url":"https://www.theblock.co/amp/post/298062/linea-decentralization-velocore-hack"}]},"v":1}