Distributed Networks Institute
Sonne Finance Suffers $20 Million Hack
Summary
On May 14, 2024, Sonne Finance was exploited on the Optimism chain, which led to a loss of nearly $20 million worth of assets including USDC, WETH and VELO. Sonne Finance is a decentralized liquidity protocol that offers Lending, Borrowing and Earning opportunities on Optimism and Base chains. The root cause of the exploit is a precision loss smart contract vulnerability. Sonne Finance’s smart contracts are a fork of CompoundV2, and precision loss vulnerability is a well-known issue with them. The attacker took advantage of the newly deployed VELO market, manipulated its collateral factor, and executed multiple malicious transactions to drain the protocol’s pools.
Attackers
The identity of the attacker remains unknown. The attacker utilized the following Optimism addresses:
- 0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb
- 0xae4A7cDe7C99fb98B0D5fA414aa40F0300531F43
- 0xB23856525e55dD3AF3Afe13740c2801Efd0ea844
Losses
Sonne Finance suffered a loss of approximately $20 million in various assets. Lost assets breakdown:
- 2,033,723 USDC
- 162.92 WBTC worth 10,182,500 USD
- 2,462.83 WETH worth 7,265,053 USD
- 2,352 VELO worth 312 USD
Timeline
- May 5, 2024, 03:29 AM UTC: Sonne Finance team initiated a proposal to add VELO token to their market.
- May 14, 2024, 09:56 PM UTC: The attacker made preparations for the hack by changing collateral factor in soVELO pool.
- May 14, 2024, 10:18 PM UTC: The first malicious transaction was executed with over $3 million worth of USDC.e, WETH and VELO being siphoned.
- May 15, 2024, 00:11 AM UTC: Sonne Finance team announced the pause of all markets on Optimism, and Base markets are not affected.
- May 15, 2024, 03:02 AM UTC: A detailed post-mortem report was published by the protocol’s team.
- May 15, 2024: CertiK, a blockchain security firm, published an in-depth incident analysis report.
- May 16, 2024, 05:45 PM UTC: Sonne Finance team sent an on-chain message to the attacker asking to return stolen funds for 10% bounty.
Security Failure Causes
Smart Contract Vulnerability: The root cause of the exploit was a precision loss issue, a widely known vulnerability in CompoundV2 forks. The attacker manipulated the collateral factors of a lending pool, by depositing underlying tokens into an empty market to inflate the value of deposited collateral.