Velocore, a decentralized finance (DeFi) platform, recently experienced a significant security breach resulting in the loss of over $6.8 million.
The attacker exploited a vulnerability within the LP Pool contract, ultimately transferring the stolen funds to Ethereum and then laundering them through Tornado.Cash.
The attacker, identified by the address 0x8CDc37eD79C5EF116b9Dc2A53Cb86ACaca3716bF, used a sophisticated method to manipulate the platform’s feeMultiplier parameter. This parameter directly affects the number of tokens exchanged in transactions.
By constructing a specific parameter to invoke the velocore__execute function (0xec378808) of the LP contract, the attacker successfully altered the feeMultiplier.
Following this manipulation, the attacker proceeded to exploit the altered feeMultiplier parameter by calling the execute function (0xd3115a8a) via the router contract. This allowed the attacker to drain significant funds from the LP pool.
The stolen assets were then bridged to Ethereum, converted into $ETH, and subsequently funneled into Tornado.Cash, a privacy-focused mixing service, to obscure the transaction trail.
The incident highlights a critical need for rigorous security measures and permission verifications within smart contracts. As DeFi continues to grow, ensuring the robustness and security of financial protocols is paramount to protect user funds and maintain trust in decentralized systems.
Velocore’s team is actively investigating the breach and working on strengthening their security protocols to prevent future attacks. Users are advised to stay vigilant and monitor updates from Velocore regarding the security of their funds and potential recovery efforts. This breach underscores the importance of continuous security audits and the implementation of robust defensive measures in the rapidly evolving DeFi landscape.
Disclosure: This is not trading or investment advice. Always do your research before buying any Metaverse crypto coins.