Lending protocol Sonne Finance halted operations after a hack drained $20 million in cryptocurrencies, including WETH and USDC.
On May 14, around 10:30 pm UTC, Web3 security firm Cyvers detected an ongoing attack on Sonne Finance’s USD and Wrapped Ether (WETH) contracts, at the time they had only stolen $3 in cryptocurrency.
🚨ALERT📷We have detected an attack on @SonneFinance, $3 million have been stolen from their USDC and WETH contracts.
Please contact us for more information. pic.twitter.com/tA4Heigfj7
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) May 14, 2024
However, Sonne Finance only Became aware of the issue 25 minutes later. By that time, they had already been drained of $20 million of WETH, Velo (VELO), soVELO, and Wrapped USDC (USDC.e).
On May 15 at 12:11 a.m. UTC, Sonne Finance made a vague announcement on X. They said, “All markets on Optimism have been paused” and that “Markets on Base are safe.” They also told users that more information would be provided “with time.”
All markets on Optimism have been paused.
Markets on Base are safe.
We'll provide more information with time.
— Sonne Finance (@SonneFinance) May 15, 2024
Soon after, the protocol partnered with Cyvers to investigate the situation further.
How Sonne Finance Was Exploited
3 hours after their initial announcement, Sonne explained the situation further in a press release.
The Optimism chain of Sonne Finance was exploited through a known donation attack on Compound v2 forks.
Previously, measures were in place to combat the issue with 0% collateral factors, adding collateral, and burning them, before gradually increasing the collateral factors based on proposals.
However, a recent proposal was approved to integrate VELO markets into Sonne. Transactions were scheduled on a multi-sig wallet with a 2-day timelock.
The exploit occurred as the timelock ended, allowing the hacker to execute transactions for market creation and adding collateral factors.
After executing the markets undetected, the attacker was able to exploit the protocol for $20 million. However, the remaining $6.5M was saved by adding $100 worth of VELO to the markets.
Sonne Finance is working to recover the stolen funds, considering a bug bounty for their return. Usually, a 10% reward would be given to an exploiter for discovering a security flaw. They said:
“We are ready to give bounty to exploiter as well as not to commit pursuing the issue further, in case of returning the funds.”
However, it seems unlikely the hacker will comply. According to blockchain investigator PeckShield, the exploiter has already moved $7.8 million to a new wallet address.
#PeckShieldAlert @SonneFinance exploiter-labeled address has transferred $7.8M worth of cryptos, including 100 $WBTC & 556.1 $ETH, to a new address 0x6277…4c07 #Optimism pic.twitter.com/g4oiP5akr4
— PeckShieldAlert (@PeckShieldAlert) May 15, 2024
The exploiter then swapped 59 WBTC for roughly 1,185 Ether and 183,000 Dai. The move suggests an intent to launder the stolen funds through a privacy protocol like Tornado Cash.
Tornado Cash in Crypto Crime
Tornado Cash is an open-source cryptocurrency tumbler, also known as a “crypto mixer.” This tool obscures the path of crypto transactions, making it extremely difficult to determine the original source of the funds.
Although created as a privacy tool, hackers often use these mixing services to launder stolen funds via decentralized exchange platforms.
Crypto mixers have seen significant adoption in recent years. In October 2023 over $77 million in assets were processed through Tornado Cash contracts.
However, the majority of this adoption has been with illicit assets. Over the years, hackers have chosen crypto-mixing services over centralized exchanges as once they are identified, addresses are blocked by exchanges.
Tornado Cash bypasses this, as a way to legitimize their source of funds by removing connections to a hacked wallet or illicit crypto activity.
Recently, the United Nations sanctions monitors noted that North Korea was involved in laundering $147.5 million in stolen cryptocurrency using Tornado Cash.
Almost all the top multi-million dollar crypto hacks have utilized Tornado Cash to launder the proceeds, as per an Arkham Intelligence report.
Something that prompted the US Treasury to impose sanctions on Tornado Cash in August 2022. As a result, its founders were charged with money laundering and sanctions violations a year later.
While opinions within the crypto community vary regarding the adoption of privacy tools, there is a consensus against the persecution of developers solely for creating an application.
Although crypto related frauds and scams are on the decline, it is important that users are educated on how to protect themselves from crypto crime.