Sonne Finance, a decentralized lending protocol, experienced a severe exploit on Wednesday morning in Asia, resulting in approximately $20 million in losses.
The attack is ongoing and much bigger, an additional $17 million has been stolen and the total value loss is more than $20 million. @SonneFinance please take immediate action. https://t.co/k39W09J8Bd
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) May 14, 2024
The attack was first detected by Web3 security firm Cyvers on May 14 at around 10:30 pm UTC. Despite the prompt detection, the hacker managed to steal $20 million in Wrapped Ether (WETH), Velo (VELO), soVELO, and Wrapped USDC (USDC.e) before Sonne Finance became aware of the situation 25 minutes later.
Nature of the Exploit
The attack occurred following Sonne Finance's addition of token markets for Velodrome Finance’s VELO, a decision made after a community proposal. The hacker exploited a two-day timelock to execute four transactions, which included creating markets and adding collateral factors.
The attacker executed transactions by donating large amounts of cryptocurrency to manipulate the exchange rate between two tokens. This manipulation tricked the platform into believing it had more collateral than was actually available.
Blockchain data reveals that the attacker managed to transfer millions of VELO, ether, and USDC following the manipulation. They later converted these assets into $8 million in bitcoin and ether, transferring the funds to a new wallet address in the early hours of the European trading session.
The hacker swapped 59 WBTC for approximately 1,185 ether and 183,000 DAI, indicating an intent to use a privacy protocol like Tornado Cash to obscure the trail of the stolen funds. This strategic move highlights the sophisticated techniques employed by the attacker to avoid detection and traceability.
The hack had a significant impact on the market, causing the price of SONNE to plummet by 60% to 2.8 cents, its lowest level in over a year. This decline cut the market cap to $2.2 million, even after the developers managed to stop $6.5 million from being siphoned off once they became aware of the attack.
Markets Paused and Partnership with Cyvers
Sonne Finance paused all markets on the Optimism network in response to the breach on X (formerly Twitter). This quick action aimed to prevent further losses. Sonne Finance then partnered with Cyvers to investigate the incident.
All markets on Optimism have been paused.
— Sonne Finance (@SonneFinance) May 15, 2024
Markets on Base are safe.
We'll provide more information with time.
Sonne Finance is currently exploring all options to retrieve the stolen funds. One approach under consideration is negotiating a bug bounty with the hacker. In such scenarios, the hacker might return most of the stolen funds and keep roughly 10% as a reward for identifying a security flaw.
The team has indicated that, while they cannot recover the stolen funds immediately, the investigation into the hacker’s identity is ongoing.
This is not the first time Sonne Finance has faced security challenges. In February 2023, the protocol lost $1.55 million of TrueFi tokens in an exploit. Such recurring issues highlight the persistent vulnerabilities within DeFi protocols and the need for continuous improvement in security practices.