SolidityScan
HACK ANALYSIS 2 min read

VeloCore Hack Analysis

VeloCore Hack Analysis

Overview:

On June 1, 2024, VeloCore suffered an attack due to an access control issue, leading to a total loss of over 6.8M USD.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The attacker exploited a lack of permission verification in the LP Pool, allowing them to directly call the velocore__execute function with specially crafted parameters.
  • By manipulating the feeMultiplier parameter through the velocore__execute function, the attacker altered the calculation affecting the number of tokens exchanged.
  • The manipulated feeMultiplier was then used in a subsequent call to the execute function via the router contract, enabling the attacker to drain funds from the LP pool.
  • The combination of these actions resulted in the attacker successfully siphoning off funds from the LP pool.
Fig: The root cause of the vulnerability

Mitigation and Best Practices:

  • Add robust permission checks to the velocore__execute function to ensure only authorized users or contracts can invoke it. This could involve verifying the caller’s identity or requiring a valid authorization token.
  • Implement strict validation for all parameters, especially those affecting critical calculations like feeMultiplier. This includes checking for reasonable value ranges and preventing any unexpected or out-of-bounds values.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

MineSTM Hack Analysis
Uwulend Hack Analysis