
Velocore loses 6.88 million USD worth of ETH, user liquidity wiped out—what happened?
TechFlow Selected TechFlow Selected

Velocore loses 6.88 million USD worth of ETH, user liquidity wiped out—what happened?
The team stated they would provide compensation to affected users and took a snapshot of the blockchain state prior to the attack.
By Ting, BlockTempo
Yesterday, the decentralized exchange Velocore was hacked, resulting in the theft of 1,807 ETH (approximately $6.88 million). Following the incident, Velocore released a report detailing the affected liquidity pools, the attack method, and its subsequent compensation plan.
Velocore, a decentralized trading platform deployed on Layer2 networks zkSync and Linea, suffered a hacker attack yesterday (the 2nd), leading to losses amounting to 1,807 ETH (about $6.88 million).
On-chain analyst Yujin stated that all users' liquidity funds on the platform were drained. The hacker subsequently transferred the stolen funds via cross-chain bridges to the Ethereum mainnet, moved all ETH to the address starting with 0xe40, and used the mixer protocol Tornado to launder and conceal the funds.
Additionally, according to data from DeFi analytics platform DefiLlama, following the hack, Velocore’s total value locked (TVL) plummeted from $10.16 million the previous day to $835,000—a drop of as much as 92%.
Contract Vulnerability Identified
Yesterday, the Velocore team published a security review report regarding this hacking incident. The report identified a contract vulnerability within its Balancer-style CPMM pools as the root cause. It further detailed the security status of each liquidity pool:
-
All CPMM pools on Velocore across Linea and zkSync Era chains were compromised.
-
Stable pools remained unaffected.
-
The same vulnerability existed on the Telos chain version of Velocore, but the team had already addressed it before exploitation occurred.
-
Blast chain’s Bladeswap uses Velocore's core contracts; however, since Bladeswap employs XYK pools instead of CPMM pools, it was not impacted by this contract vulnerability.
Constant Product Market Maker (CPMM) is one of the earliest functions adopted by DeFi liquidity pools, based on the formula x*y=k. Here, x and y represent the reserve amounts of two assets in the pool, while k is a constant. This function determines the price range of two tokens based on their available quantities (liquidity). An increase in token X supply must be offset by a decrease in token Y supply to maintain the constant k.
Another Flash Loan Attack?
According to the report, the attacker first obtained funds through the mixer protocol Tornado to meet the conditions required to trigger the contract vulnerability. Then, they used flash loans to acquire liquidity provider (LP) tokens and withdrew most of the underlying assets, drastically shrinking the liquidity pool size. Subsequently, exploiting a token contract flaw, the attacker minted an abnormally large number of LP tokens to repay the flash loan.
Compensation Only After Resuming Operations
In response to this hack, the Velocore team said it is actively tracking down the attacker and attempting on-chain communication. On-chain messages sent by Velocore to the hacker state:
If the hacker returns the remaining funds by 4 PM on June 3rd, the team is willing to offer a 10% white-hat bug bounty.
However, as of now, the hacker has not responded to Velocore.
Meanwhile, the team also announced plans to compensate affected users and has taken a snapshot of the blockchain state prior to the attack. However, the compensation program will only be initiated once Velocore resumes operations.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News












