article ⚠️ Velocore DEX Hit by $10 Million Flash‑Loan Exploit on zkSync & Linea

Please Register !

Quick Summary

• What occurred: A critical flash‑loan exploit drained about $10 million from Velocore DEX, which runs on zkSync Era and Linea.

• Targeted assets: Volatile liquidity pools, particularly those using the CPMM model.

• Immediate impact: Over 700 ETH (roughly $6.9 million) funneled through Tornado Cash to hide tracks.

Please Register !

The Breach: How the Hacker Pulled It Off

• Attack vector: The attacker executed a flash-loan attack—borrowing a large amount briefly—and manipulated the fee-logic in Velocore’s CPMM pools to miscalculate balances, enabling massive unauthorized withdrawals.

• Assets drained: Close to 700 ETH and ~1.5 million USDT, later consolidated into about 1,807 ETH (~$6.9 M), then sent through Across Protocol and Tornado Cash to obfuscate origin.

  Please Register !

Please Register !

Immediate Defensive Measures

• Linea responded by pausing block production temporarily to halt the attack and investigate the flaw.

• Velocore clarified that its stablecoin pools remained unaffected and users could still withdraw funds from them.

Please Register !

Ongoing Recovery & White‑Hat Bounty Offer

• Coordination efforts: Velocore is working alongside security experts (e.g., Hacken, Zokyo, Scalebit, Hexagate, Hypernative) and has asked CEXs to freeze stolen funds.

• White-hat incentive: An on-chain message offered a 10% bug bounty if the hacker returns the remaining loot by June 3.

• *Investigation: They’ve initiated tracking of exploiter wallets and set up post-mortem reviews to reinforce security.

Please Register !

Broader Implications for DeFi

• Smart contract vigilance: Even audited protocols (Velocore had audits from Zokyo, Hacken, Scalebit) can be vulnerable due to complex fee logic and boundary check failures.

• Flash‑loan threat: These attacks are on the rise, exploiting briefly funded but powerful operations—bridging assets and exploiting transient loopholes.

• Cross‑chain laundering: The route through Tornado Cash highlights how stolen funds are quickly disguised across chains.

Please Register !

Advice for DeFi Participants

1. Exercise caution with new or volatile liquidity pools—use small trial deposits first.

2. Monitor dev announcements for contract changes, bounties, or recovery plans.

3. Avoid storing large assets in freshly deployed or audited-but-risky environments.

4. Stay informed via security forums and on-chain scanning tools for suspicious fund flows.

Please Register !

Takeaways & Moving Forward

• Even matured DeFi platforms aren’t immune—comprehensive audits aren't enough without rigorous logic testing.

• Breaches like these erode user trust in zk-rollup ecosystems, prompting calls for more robust security frameworks.

• Community-driven initiatives—bounties, transparent reporting, collaboration with CEXs—can help contain damage and perhaps recover assets.