Sonne Finance, a decentralized non-custodial lending protocol on Optimism and Base, appears to have been exploited for at least $20 million, according to blockchain security firm PeckShield’s estimates.
Hi @SonneFinance: Please double check your timelock contract and the loss is now more than $20m.
— PeckShield Inc. (@peckshield) May 15, 2024
In an update on X, the Sonne Finance team said it had paused all markets on Optimism, noting that markets on Base remained safe.
Sonne Finance is a fork of Compoud V2, whose original codebase has certain documented vulnerabilities that protocols who copy the code have to be mindful of patching. The same bug has been exploited before in the case of Hundred Finance and Midas Capital last year, where the attacker manipulates the exchange rate to inflate the value of collateral, using just a small amount of tokens to drain lending pools.
In the case of Sonne Finance’s exploit, the team deployed a new market contract for VELO and a governance proposal to activate it. After the proposal was passed four days later, the attacker made sure they were the first to execute the contract after the 24-hour timelock on the contract had expired.
It is a tragedy that after many such cases of this exchange rate vulnerability being exploited, protocols continue to learn the hard way that you should not fork code that you don't understand. It is easy to fork open source code, but it is quite challenging to do so safely.
— LukeYoungblood.eth 🛡️ (@LukeYoungblood) May 15, 2024
According to data from DeFiLlama, Compound V2 has 128 forks, but that doesn’t necessarily put all of them at risk to the same type of exploit. As long as these protocols activate new markets without enabling collateral, and ensure there are never zero suppliers in the market.
Meanwhile, one MEV researcher who goes by the X handle “@tonyke_bot” from blockchain security startup Fuzzland, said the team managed to save $6.5 million from the attacker by adding$100 in collateral to the soVELO pool.
We swapped $100 for a few $VELO and added to the soVELO pool and the vulnerability becomes no longer exploitable, preventing remaining pools holding 6.5M to be rekt. [5/6] pic.twitter.com/jcOpeXEfSa
— Tony KΞ (@tonykebot) May 15, 2024
In a post mortem report, the Sonne Finance team published a list of wallet addresses tied to the exploiter. They noted that the multisig execution was not permissionless on Base, but was permissionless on Optimism which is what enabled the exploiter to carry out the attack.
“We are sincerely sorry about the situation, and we are doing everything in our power and we are in contact with anyone that can help with recovering the funds,” said the team.