Friday Periodical #8: Velocore Exploit

Happy Friday auditors! This week on the Friday Periodical we’re going to hop back in time a bit to talk about an exploit which occurred in June to Velocore on zkSync and Linea. This exploit spurred a lot of discussion because of both its size and due to the response from the chains to rectify the situation.

To begin with Velocore was a DEX which was gaining steam on Linea and zkSync and peaked with a TVL of $25 million. However, due to this exploit, all users LPs were stolen which in total meant $10 million were stolen. In order to stop the exploiter, Linea stopped producing blocks between 5081800 and 5081801 for about an hour.. Afterwards, hackers transferred part of the ETH across chain to Ethereum mainnet — link (https://etherscan.io/address/0x8CDc37eD79C5EF116b9Dc2A53Cb86ACaca3716bF). Velocore has gone on record to claim they received third separate rounds of audits from Zokyo, Hacken and Scalebit. Consequently, they determined that their protocol was safe. Which is a reasonable assumption, but when you’re dealing with a protocol this big, audits should be a regular occurrence for any time a major code push occurs.

The reason we bring this to your attention is because it calls into question the centralized versus decentralized discussion for blockchains. While it is convenient that Linea was able to stop producing blocks to stop the attackers, it causes users to question whether they will choose to stop producing blocks whenever they fancy. While it is unfortunate that major hacks happen on chains like Ethereum, there is a comfort in knowing that the chain is decentralized and no singular entity can stop the production of blocks when they wish. At the same time, if there is a benevolent entity in control of the blocks, there is a safety in knowing that the chain can stop, reorg or rollback and protect users from malicious actors.

As more users enter the space, the diehard purists will gradually become more of the minority voice. Many casual users are willing to sacrifice decentralization and macro security for the safety on the microscale. There’s no right or wrong answer to this and I believe the beauty of web3 is that there are protocols for all user’s desires which can ultimately become interoperable as we continue to grow the space. What do you think? As we onboard more users should we continue to stick to the fundamentalist approach or should we integrate the concerns of new users and allow for chains to reorg or recover your private key for instance? Leave a comment and let us know!

Conclusion

Thanks for reading, we hope that you found our deep dive informative and interesting. If you are building something and would like to prevent similar hacks, or any exploit, from harming to your project, please reach out to Hyacinth Audits at tthomas@hyacinthaudits.xyz or post your own bounty so we can match you with the best auditor for your project!