Velocore: Fee Multiplier Manipulation + Underflow → Liquidity Token Mint
Velocore lost $6.8M across Linea and zkSync when an attacker directly called an unprotected execution function to inflate fee multipliers past 100%, then triggered an underflow in a single-token withdrawal to mint unlimited liquidity tokens — and Linea halted block production in response, raising centralization alarms.
Summary #
Velocore suffered a DEX / AMM (Balancer-style CPMM) on 2024-06-02, resulting in a loss of approximately $7M.
What happened #
Velocore lost $6.8M across Linea and zkSync when an attacker directly called an unprotected execution function to inflate fee multipliers past 100%, then triggered an underflow in a single-token withdrawal to mint unlimited liquidity tokens — and Linea halted block production in response, raising centralization alarms.
Linked factors #
- RD-F-007 — related : Bug bounty absent — baseline integrity gap [via dashboard_risk_factors/Bug bounty: Yes — 10% bug bounty offered post-hack (no pre-hack bounty mentioned)]
- RD-F-090 — illustrative : Mixer withdrawal → protocol interaction [via realtime_signals/Pre-exploit on-chain signals: Tornado Cash funding + bridge to Linea/zkSync; direct invocation of velocore__execute() with non-standard parameters]
- RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — large flash loan as part of exploit sequence]
- RD-F-111 — causal : Team doxx status — pseudonymous-no-track-record class [via dashboard_risk_factors/Team anonymity: Unknown]
- RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Balancer-style CPMM architecture]