Sonne Finance Suffers $20 Million Hack
Summary #
On May 14, 2024, Sonne Finance was exploited on the Optimism chain, which led to a loss of nearly $20 million worth of assets including USDC, WETH and VELO. Sonne Finance is a decentralized liquidity protocol that offers Lending, Borrowing and Earning opportunities on Optimism and Base chains. The root cause of the exploit is a precision loss smart contract vulnerability. Sonne Finance’s smart contracts are a fork of CompoundV2, and precision loss vulnerability is a well-known issue with them. The attacker took advantage of the newly deployed VELO market, manipulated its collateral factor, and executed multiple malicious transactions to drain the protocol’s pools.
Attackers #
The identity of the attacker remains unknown. The attacker utilized the following Optimism addresses:
- 0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb
- 0xae4A7cDe7C99fb98B0D5fA414aa40F0300531F43
- 0xB23856525e55dD3AF3Afe13740c2801Efd0ea844
Losses #
Sonne Finance suffered a loss of approximately $20 million in various assets. Lost assets breakdown:
- 2,033,723 USDC
- 162.92 WBTC worth 10,182,500 USD
- 2,462.83 WETH worth 7,265,053 USD
- 2,352 VELO worth 312 USD
Timeline #
- May 5, 2024, 03:29 AM UTC: Sonne Finance team initiated a proposal to add VELO token to their market.
- May 14, 2024, 09:56 PM UTC: The attacker made preparations for the hack by changing collateral factor in soVELO pool.
- May 14, 2024, 10:18 PM UTC: The first malicious transaction was executed with over $3 million worth of USDC.e, WETH and VELO being siphoned.
- May 15, 2024, 00:11 AM UTC: Sonne Finance team announced the pause of all markets on Optimism, and Base markets are not affected.
- May 15, 2024, 03:02 AM UTC: A detailed post-mortem report was published by the protocol’s team.
- May 15, 2024: CertiK, a blockchain security firm, published an in-depth incident analysis report.
- May 16, 2024, 05:45 PM UTC: Sonne Finance team sent an on-chain message to the attacker asking to return stolen funds for 10% bounty.
Security Failure Causes #
Smart Contract Vulnerability: The root cause of the exploit was a precision loss issue, a widely known vulnerability in CompoundV2 forks. The attacker manipulated the collateral factors of a lending pool, by depositing underlying tokens into an empty market to inflate the value of deposited collateral.