Sonne Finance, a decentralized finance (DeFi) lending platform operating on Optimism and Base Layer 2 networks, experienced a security breach.
It resulted in the theft of $20 million worth of tokens. In response, the platform promptly halted its markets on Optimism to mitigate further losses.
Sonne Finance Attributes Exploit to Fork Vulnerability
On May 14, at approximately 10:30 pm UTC, Cyvers, a Web3 security firm, sounded the alarm on an active attack targeting Sonne Finance’s USD Coin (USDC) and Wrapped Ether (WETH) contracts.
Just 25 minutes after the attack, Sonne Finance discovered that the thief had already stolen $20 million in WETH, VELO, soVELO, and Wrapped USDC (USDC.e).
Subsequently, the platform collaborated with Cyvers to comprehensively investigate the incident. Sonne Finance is pursuing various avenues to recover the stolen assets, including negotiating a bug bounty with the hacker.
This approach involves the hacker returning most of the stolen funds while keeping around 10% as a reward for identifying a security vulnerability.
Post-mortem on the exploit of Sonne Finance markets on Optimismhttps://t.co/gBXDsl8ucA
— Sonne Finance (@SonneFinance) May 15, 2024
According to the post-incident report from Sonne Finance, the team introduced a new market contract for VELO along with a governance proposal to activate it.
Four days after the proposal’s approval, the attacker made their move, becoming the first entity to execute the contract after the 24-hour timelock had elapsed. The hacker utilized a known exchange rate vulnerability, where a perpetrator inflates the value of their collateral to manipulate the lending pool to release large amounts of tokens.
The @SonneFinance team deployed the $VelodromeV2 market contract 4 days ago:https://t.co/bwduA1Haln
Then, two days ago, they scheduled an operation to add $VelodromeV2 to the market:https://t.co/698hoqvzM5
Here’s the problem: It’s been over a year since the First Deposit… pic.twitter.com/z8hRI7I0fX
— PoorBabyCorn (💙,🧡) (@GiantBabyCorn) May 15, 2024
Following the breach, Sonne Finance immediately halted all markets on the Optimism network on May 15 at 12:11 am UTC, while operations on the Base network continued as normal.
All markets on Optimism have been paused.
Markets on Base are safe.
We'll provide more information with time.
— Sonne Finance (@SonneFinance) May 15, 2024
This exploit is not unique to Sonne Finance. Hundred Finance experienced a similar vulnerability on April 15, 2023, when the hacker manipulated the exchange rate to inflate the collateral value, thereby draining lending pools with only a small amount of tokens.
Sonne Finance Hacker Moved $7.8 Million to New Address
After compromising Sonne Finance’s security, the hacker, unyielding to negotiation attempts, transferred a substantial portion of the stolen funds, amounting to $7.8 million, to a newly created wallet address.
#PeckShieldAlert @SonneFinance exploiter-labeled address has transferred $7.8M worth of cryptos, including 100 $WBTC & 556.1 $ETH, to a new address 0x6277…4c07 #Optimism pic.twitter.com/g4oiP5akr4
— PeckShieldAlert (@PeckShieldAlert) May 15, 2024
The hacker then exchanged 59 Wrapped Bitcoin (WBTC) tokens for roughly 1,185 Ethereum (ETH) and 183,000 Dai stablecoins. This latest development indicates an intention to hide the trail of the stolen funds by potentially funneling them through privacy-focused protocols such as Tornado Cash.