News
Sonne Finance suffers $20 million exploit and hackers flee
Last Updated: May 15, 2024 7:30am EDT | 3 minute read
Lending protocol Sonne Finance has halted operations after a hack wiped out $20 million in cryptocurrencies, including WETH and USDC.
On May 14, around 10:30 PM UTC, security firm Web3 Cyvers detected an ongoing attack on Sonne Finance’s USD and Wrapped Ether (WETH) contracts, which had only $3 in cryptocurrency stolen at the time.
🚨ALERT📷We have detected an attack on @SonneFinance$3 million was stolen from their USDC and WETH contracts.
Please contact us for further information. pic.twitter.com/tA4Heigfj7
— 🚨 Cyvers Alert 🚨 (@CyversAlerts) May 14, 2024
However, Sonne Finance only became aware of the problem 25 minutes later. By then, $20 million worth of WETH, Velo (VELO), soVELO, and Wrapped USDC (USDC.e) had already been drained.
On May 15 at 00:11 UTC, Sonne Finance made a vague announcement about X. They said: “All markets on optimism have been paused” and that “Markets on basis are safe.” They also told users that more information would be provided “over time.”
All markets on optimism were put on hold.
The markets on Base are safe.
We will provide more information over time.
— Sonne Finance (@SonneFinance) May 15, 2024
Immediately after, the protocol collaborated with Cyvers to investigate the situation further.
How Sonne Finance was exploited
3 hours after the initial announcement, Sonne further explained the situation in a Press release.
Sonne Finance’s Optimism chain was exploited through a well-known donation attack on Compound v2 forks.
Previously, measures were in place to combat the problem with 0% collateral factors, adding collateral and burning it, before gradually increasing collateral factors based on the proposals.
However, a proposal to integrate the VELO markets in Sonne was recently approved. The transactions were scheduled on multi-sign wallet with 2 day time lock.
The exploit occurred when the timelock expired, allowing the hacker to execute market-making transactions and adding collateral factors.
After running the markets undetected, the attacker managed to exploit the protocol for $20 million. However, the remaining $6.5 million was saved by adding $100 worth of VELO to the markets.
Sonne Finance is working to recover the stolen funds, evaluating a bug bounty for their return. Typically, the exploiter is given a 10% reward for discovering a security flaw. They said:
“We are ready to give a reward to the exploiter and not to engage further in pursuing the matter, in case of return of the funds.”
However, it seems unlikely that the hacker will comply. According to blockchain investigator PeckShield, the exploiter has already moved $7.8 million to a new wallet address.
#PeckShieldAlert @SonneFinance The address labeled by the exploiter transferred cryptocurrencies worth $7.8 million, of which $100 $WBTC and 556.1 $ETHto a new address 0x6277…4c07 #Optimism pic.twitter.com/g4oiP5akr4
— PeckShieldAlert (@PeckShieldAlert) May 15, 2024
The exploiter then exchanged 59 WBTC for approximately 1,185 Ether and 183,000 Dai. The move suggests an intent to launder the stolen funds through a privacy protocol like Tornado Cash.
Tornado Cash in Crypto Crime
Tornado Cash is an open source cryptocurrency tumbler, also known as a “cryptocurrency mixer”. This tool obscures the path of crypto transactions, making it extremely difficult to determine the original source of funds.
Although they were created as a privacy tool, hackers often use these mixing services to launder stolen funds via decentralized exchanges.
Crypto mixers have seen significant adoption in recent years. Finished in October 2023 As much as $77 million in assets were processed through Tornado Cash contracts.
However, most of this adoption occurred with ill-gotten goods. Over the years, hackers have chosen crypto mixing services over centralized exchanges because once identified, addresses are blocked by the exchanges.
Tornado Cash gets around this issue, as a way to legitimize your source of funds by removing connections to a compromised wallet or illicit crypto activity.
Recently, UN sanctions monitors have taken notice North Korea was involved in laundering $147.5 million in stolen cryptocurrencies using Tornado Cash.
Nearly every major multimillion-dollar cryptocurrency hacker used Tornado Cash to launder proceeds, according to investigation by Arkham Intelligence relationship.
Something that pushed the The US Treasury will impose sanctions on Tornado Cash in August 2022. Accordingly, its founders were accused of money laundering and violation of sanctions a year later.
While opinions within the crypto community vary regarding the adoption of privacy tools, there is a consensus against persecution of developers solely to create an application.
Although cryptocurrency-related frauds and scams are decreasingit is important that users are informed How to protect yourself from crypto crime.