DeFi Project Sonne Finance Shuts Down Markets After $20M Hack

Yet again, the DeFi world has been hit with a string of horrifying hacks.

The latest target? Sonne Finance, a decentralized lending protocol operating on Optimism and Base, has fallen victim to a daring hacker, making off with a staggering $20 million. This exploit, reminiscent of vulnerabilities seen in Compound Finance forks, has sent shockwaves through the DeFi community.

Here’s what went down.

Understanding the Heist

Sonne Finance wasted no time in response to the breach, swiftly shutting down all markets on the Optimism platform to contain the damage. Yet, they ensured that funds on Base remained secure against the assault.

According to PeckShield, a blockchain security firm, the attacker targeted Sonne Finance by exploiting a well-known vulnerability found in Compound Finance forks. This flaw allowed the hacker to siphon approximately $20 million from Sonne Finance’s smart contracts within the Optimism network.

Exploiting Weaknesses

Sonne Finance, the derivative of Compound V2, was linked to certain weaknesses which were inherited from its codebase. Hundred Finance and Midas Capital were the victims of DeFi hacks last year and the same vulnerabilities have been used in the previous DeFi hacks. 

In these attacks, the malicious actors manipulate the exchange rates to increase the collateral values artificially so that they drain the pools of lending with few tokens.

The exploit that befell Sonne Finance was rooted in the implementation of a new market contract for VELO, coupled with a subsequent governance proposal to activate it. Seizing the opportune moment, the attacker executed the contract right on the heels of the completion of a 24-hour timelock, positioning themselves as the first to reap the spoils of the exploit.

Rising from the Ashes: Recovery Efforts Now in Place!

Post-exploit, Sonne Finance swiftly took decisive action, halting all Optimism markets to staunch the bleeding. Yet amidst the chaos, the Base market stood firm and resolute, untouched by the storm.

In their post-mortem of the incident, Sonne Finance put out a list of wallet addresses that belonged to the manipulator in an attempt to find the culprit. The team stressed their continuous efforts to retrieve the stolen funds, including offering a bug bounty, tapping into the support of the whole crypto community, and engaging with the relevant stakeholders.

There are many versions of Compound V2 already in circulation; hence, security protocols should be the priority, which includes regular audits and timely vulnerability patches.

We’ve got you. Here’s a look at DeFi security best practices: Learn DeFi and Take Control of Your Finances