Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
DEX Velocore experienced a security breach on June 2nd, 2024, resulting in financial losses approximating $6.8 million in ETH. The primary cause of the incident was faulty logic within the velocore__execute() function of the ConstantProductPool. When a user makes a swap on Velocore, the Vault contract makes an external call to this function to calculate the result of the swap. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 6,800,000.
- chain
- —
- protocol
- Velocore
- bug_class
- logic
- date_occurred
- 2024-06-02
- loss_usd
- $6,800,000
- source_id
- sm:velocore::2024-06-02