Sonne Finance Vulnerability Exposed in $20 Million Crypto Heist

Staggeringly, a crypto attacker succeeded in the hack on Sonne Finance to conduct a heist using a very complex exploit that drained the company’s assets, bringing in about $20 million to the attacker. The attack played out for a few days, spotting carefully the backdoor of Sonne Finance’s VELO integration with the Optimism network.

Here are details of the attack.

How It All Unfolded

The exploit transaction of two days duration started from the date of the attack according to the detailed analysis released by CertiK. A few days before, Sonne Finance had carried out a unanimous vote to make VELO transactions possible on the Optimism blockchain and finished all the relevant transactions through the multi-sig wallet. 

This wallet included a two-day time lock which was designed to provide an added layer of security by causing transactions to be delayed for two days.

With the completion of the two-day counting period, the attacker implemented a “c-factor” to the markets by afternoon. At this crucial step, the Vulnerable attacker transmitted 400,000,001wei VELO (a minuscule part of the VELO token) in order to mint only 2 wei.

Exploiting the System

The one to get the loan was the newly issued soVELO which borrowed 35,469,150 VELO from the AMM liquidity pool immediately after the overcollateralized VELO was moved to the soVELO contract. 

However, this transfer didn’t mint additional soVELO tokens, leading to an imbalance. The total cash money in the system continued to grow while the total quantity soVELO remained at 2 wei.

That is why the attacker successfully borrowed 265 wei of Wrapped Ethereum, with just the collateral as two wei soVeLO. Due to rounding errors in the division calculations, the adversary was able to become the owner of 35,471,603 VELO. He redeemed the number of tokens for only 1 wei of soVELO instead of the 1 VELO that was suggested.  

The Drainage Operation

The attacker had not stopped sufficiently by then. The second period, they had used 100 wei of VELO at the same time at soVELO, so that generated another wei of soVELO as a total supply of 2 wei. This way they kept running the system and got assets drained from several sources. 

The assets stolen included: 2,352. 96 VELO, 795. 38 WETH, 768,933. 76 USDC. With the emergence of e ish (a USDC coin on top of Ethereum), 162,92 WBTC (Wrapped Bitcoin),  1667. 45 wstETH (wrapped staked ETH),  777k. 566 USD (Tether) and 1,264,790. 21 USDC.

Lessons to Learn

This audacious exploit serves as a stark reminder of the importance of conducting thorough code audits and implementing robust security measures to safeguard digital assets within decentralized environments.

Even the slightest oversight can pave the way for catastrophic breaches, emphasizing the critical need for vigilance in cryptocurrency security.

Also Check Out : Crypto Hack Report Q1 2024: Trends, Losses, and Recovery Efforts

Could this happen again? Yes. It’s important to keep your investments safe. Read this guide now: A Comprehensive Guide to Keeping Your Crypto Safe