Velocore, a decentralized exchange (DEX) built on Consensys’ zero-knowledge Ethereum Virtual Machine (zkEVM) and Matter Labs’ zkSyncEra, saw an exploit on all volatile pools on June 2. Volatile pools are liquidity pools for uncorrelated assets.
The team behind the DEX estimated that the protocol lost approximately $6.8 million worth of ether after the exploiter took advantage of vulnerabilities in its “Balancer-style CPMM pool contract.” They also noted that the exploit was exclusive to volatile pools, and all stable pools remained safe.
The Linea team was alerted to the exploit by blockchain security firm Hexagate, and deployed ecosystem security measures to mitigate damage from the exploit. Those measures included halting the blockchain sequencer to prevent additional funds from being bridged out by the exploiter.
🔊Update on Velocore Incident
The Velocore DEX was exploited. Our teams have been employing our ecosystem security measures to mitigate the damage from this attack. More info in this thread.
Linea network remains secure, this only affected a 3rd party dapp.
— Linea (@LineaBuild) June 2, 2024
“700ETH moved off Linea via a 3rd party bridge. It was the middle of the night, Velocore was still vulnerable and we could not get ahold of their team,” said the Linea team on X.
Linea stopped producing blocks for around an hour between block 5081800 and 5081801, during which time the hacker’s wallet address was censored, and the attacker was also prevented from selling large amounts of ether.
The Linea team also appeared to anticipate criticism from proponents of decentralization, explaining its decision to halt block production was in aid of protection users and builders in the ecosystem.
“Like other L2s, we are still in the ‘training wheels’ phase of existence, giving us safeguards to use,” said the Linea team on X.
“Most L2s, including Linea, still rely on centralized technical operations which can be leveraged to protect ecosystem participants. Linea’s core value is a permissionless, censorship-resistant environment so it was not a decision we took lightly.”
Meanwhile, the Velocore team is working on tracking down the exploiter, but plans to reimburse the affected users once operations resume.
Root cause has been identified already, and measures have been taken to prevent copycats from using the same method. We are coordinating with other security partners to determine the right time to release the post-mortem article.
In the meantime, all buttons except for withdraw… pic.twitter.com/FF4p8sE16I— Velocore | veDEX on zkSync Era / Linea ▪️ (@velocorexyz) June 2, 2024