The decentralized lending protocol Sonne Finance has fallen victim to an exploit, resulting in damages amounting to approximately $20 million.
Post-mortem on the exploit of Sonne Finance markets on Optimismhttps://t.co/gBXDsl8ucA
— Sonne Finance (@SonneFinance) May 15, 2024
According to the statement, the perpetrator employed a “known donation attack” on forks of Compound v2, one of which is Sonne Finance.
Following the breach, the protocol’s team suspended its operations on the L2 solution Optimism. Activities on Base continue as usual.
In 2023, Compound experts described a vulnerability that allows attacks on markets with low supply and a non-zero collateral factor (CF) on the platform’s second version.
Experts noted that to extract nearly every asset from the protocol, a hacker needs to sequentially repeat several steps in all cases:
- create and fund a new contract;
- issue collateral tokens on an empty market and purchase most of them;
- donate these coins to raise the exchange rate;
- use this overvalued collateral to borrow another asset;
- return the donations by buying back the collateral;
- liquidate the borrower’s contract using the borrowed funds and buy back the collateral tokens.
The simplest solution for existing projects based on Compound v2, experts suggested, is to set a zero CF for new markets.
The Sonne Finance team assured that they followed this recommendation. However, when adding support for the VELO token, they planned to implement lending conditions (c-factors) two days later.
Developers stated that the perpetrator waited for the unlock and executed four transactions to create markets and another to add c-factors.
Sonne Finance confirmed they learned of the attack from community member alerts.
Hi @SonneFinance: Please double check your timelock contract and the loss is now more than $20m.
— PeckShield Inc. (@peckshield) May 15, 2024
Thanks to immediate action, the theft of assets worth an additional $6.5 million was prevented, the team stated.
Developers added that they continue to “investigate the hacker’s identity” but are willing to offer a reward for the return of the stolen funds.
In April, cryptocurrency projects lost a record low of approximately $27.5 million due to cybercrime, with exploits accounting for around $21 million, according to CertiK.