<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">

Investigating the Velocore Hack and Flow of Funds

Velocore, a decentralized exchange that operates on the Telos, zkSync Era, and Linea blockchains, was exploited on the 2nd of June, 2024. Hackers targeted vulnerabilities in Velocore's smart contracts that were responsible for managing liquidity pools.

The exploit tricked Velocore into misinterpreting a small withdrawal as a massive deposit, allowing hackers to drain almost $7.6 million. They specifically targeted "volatile pools" on zkSync Era and Linea.

“Despite undergoing multiple audits and implementing preventive features to ensure security, this unexpected incident happened swiftly. We are deeply saddened and sincerely apologize to our users who have trusted us,” Velocore wrote in a post-mortem report.

Merkle Science’s Flow of Funds Analysis


Flow of Funds from the ‘Velocore Attacker’ Wallet 

  1. The attacker address received a small amount from Tornado Cash to fund the initial attack. 
  2. The attackers capitalized on a critical security flaw within Velocore's smart contracts. This flaw, known as an integer overflow vulnerability, enabled them to manipulate the system and significantly inflate a withdrawal request, essentially tricking the protocol into granting them as a large deposit.
  3. Utilizing this technique, the attackers specifically targeted Velocore's liquidity pools on the zkSync Era and Linea blockchains. This resulted in the unauthorized withdrawal of a substantial sum of crypto assets, estimated to be around $7.6 million.
  4. To obfuscate the origin of the stolen funds, the attackers converted the various crypto assets into more commonly traded tokens. This involved converting some of the stolen assets into 1406 ETH and 1.54 million USDT.
  5. To further obfuscate their trail, the attackers employed a cross-chain bridge protocol called Across Protocol to transfer the stolen assets to the Ethereum mainnet. This effectively moved the assets to a different blockchain, making them more difficult to track.
  6. The attackers likely sought to achieve anonymity by converting the 1.54 million USDT into an additional 401.13 ETH. The total stolen sum, now roughly 1,807 ETH (valued at approximately $6.9 million), was then sent back to Tornado Cash.

Get the list of stolen funds here.

What is integer overflow and how can it be prevented?

Integer overflow is a programming error that occurs when a mathematical operation results in a number too large for the data type storing it. In code, this can happen during calculations or assignments when the result exceeds the maximum or minimum value the data type can hold.

Here's how integer overflow works:

Every data type in programming languages has a specific range of values it can store. For example, an 8-bit integer might hold values from -128 to 127.

If you try to add 1 to 127 (the maximum value for an 8-bit integer), you would expect to get 128.  However, in integer overflow, the result wraps around to the minimum value (-128) instead. This can cause unexpected behavior in your program because the result isn't what the code intended.

Preventing Integer Overflow:

There are several ways to prevent integer overflow in your code:

  1. Use Larger Data Types: If you know you'll be dealing with large numbers, choose a data type with a wider range that can hold much bigger values.
  2. Check Before Operation: You can add a check before performing the operation to see if the result will overflow. 
  3. Use Libraries: Some programming languages offer libraries or built-in functions that handle integer arithmetic safely and can prevent overflow.
  4. Be Cautious with Loops: Be mindful of loops that involve incrementing or decrementing variables. If not done carefully, they can lead to overflow.

For a deeper dive into integer overflow vulnerabilities and how to prevent them, read Merkle Science's latest HackHub report. This report provides a comprehensive analysis of common vulnerabilities and best practices for secure smart contract coding.