Velocore Security Breach
On June 2nd, 2024, Velocore suffered a security breach resulting in a loss of approximately $6.8m worth of ETH. This incident highlights the importance of robust security measures in DeFi protocols.
Cause of the Breach:
The vulnerability stemmed from flaws within Velocore’s Balancer-style CPMM pool contracts. These flaws included:
🔗 Fee Rate Calculation Bug: An error in fee calculation allowed the “effective fee” to surpass 100%, leading to malfunctions.
🔗 Underflow During Single-Token Withdrawal: The fee calculation could underflow due to a high “effective fee,” enabling the attacker to mint excessive liquidity provider (LP) tokens.
🔗 Missing Caller Check: The velocore__execute function lacked proper authorization checks, allowing unauthorized parties to exploit it.
Funds Movement: over 1800 ETH ( $6.8m ) have been moved from 0x8cdc37ed79c5ef116b9dc2a53cb86acaca3716bf → 0xe4062fcade7ac0ed47ad794028967a2314ee02b3 → Tornado Cash ( 406 ETH ).
Attacker Actions:
The attacker exploited these vulnerabilities through the following steps:
👁 Fee Manipulation: The attacker manipulated the feeMultiplier to inflate the effectiveFee.
🧠 Flash Loan Attack: They used a flash loan to acquire a large amount of LP tokens quickly and drain pool liquidity.
👀 Underflow Exploit: By executing a small withdrawal, the attacker triggered the underflow bug, minting a significant number of LP tokens (enough to repay the flash loan).
Key Security Insights ( from AMLBot ):
- Early Detection: Monitoring for abnormal transaction volumes, block metadata manipulation, high transaction fees, and decreased mining power can help identify attacks in their early stages.
- Effective Countermeasures: Implementing smart contract freezing, network segmentation, and real-time monitoring systems can mitigate losses and facilitate faster response during an attack.
- Blockchain Forensics: While blockchain offers some anonymity, techniques like real-name authentication and transaction transparency can deter malicious activities.
Velocore Response:
Velocore acknowledges undergoing multiple security audits before the breach and expresses regret for the incident. They are currently working on comprehensive solutions to restore user trust and enhance platform security.
