Velocore, a decentralised exchange (DEX) operating on zkSync and Linea blockchains, recently fell victim to $10 million hack, targeting the platform's liquidity provider tokens. The vulnerability exploited involved manipulating fee calculations within Velocore's liquidity pools.
The Velocore hack was executed by an attacker who exploited a flaw in the Continuous Product Market Maker (CPMM) mechanism used by Velocore. This mechanism, akin to Balancer's model, was intended to improve trading efficiency and security. However, the attacker manipulated the fee calculation logic, allowing them to drain liquidity pools without raising immediate alarms. The funds were then transferred across chains, ending up on the Ethereum mainnet, primarily converted to 700 ETH.