Taking a Closer Look at Sonne Finance Exploit

5 min read

Learn how Sonne Finance Token was exploited, resulting in a loss of assets worth $20 million.

TL;DR#

On May 14, 2024, Sonne Finance was exploited on the Optimism Mainnet due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $20 million.

Introduction to Sonne Finance#

Sonne Finance is a decentralized, non-custodial liquidity market protocol on Optimism Mainnet and Base. 

Vulnerability Assessment#

The root cause of the exploit is a precision loss vulnerability. The attack vector is a well-known issue on all of the CompoundV2 forks.

Steps#

Step 1:

We attempt to analyse the attack transaction executed by the exploiter.

Step 2:

On May 4, 2024, the team initiated Sonne Improvement Proposal 15 to add VELO, the native token of Velodrome Finance, to their market.

Step 3:

The snapshot vote saw 2.3 million SONNE tokens in favor of the proposal; therefore, they scheduled the transactions on the multisignature wallet, which had to pass through a 2-day scheduled timelock, and an addition of scheduled c-factors to be executed in 2 days.

Step 4:

The Timelock contract of the protocol had an issue with respect to how it was set up. In this case, anyone was able to execute the transaction to change the collateral factor and mint some SONNE tokens on the new market.

To prevent the known attack vector, Sonne had put some measures in place, which included setting up a timelock to add the market, users' adding their share of funds, and another time lock to open the market for use. This measure would have perfectly countered this exploit; however, instead of chaining them sequentially, Sonne planned each action item as a separate transaction.

Step 5:

Thus, as soon as the timelock on the proposed time for the creation of a new market ended, the attacker executed four different transactions and then further executed the transaction for adding the c-factor to the markets.

Step 6:

After the execution of this transaction, the Velo market was set up with no funds. As the market was empty, the attacker was able to exploit the known rounding error of the Compound V2 forks through a donation-based attack by utilizing flash loans.

Step 7:

The attacker borrowed VELO tokens through a flash loan, sent them to the target soVELO contracts, and then created multiple new contracts to drain funds worth approximately $20 million. The remaining $6.5 million was saved by adding roughly $100 worth of VELO tokens to the markets. Notably, the attack was also extended to Sonne USDC (soUSDC) and Sonne Wrapped Ether (soWETH) markets.

Step 8:

At the time of this writing, these are the addresses of the exploiter and the funds held by them.

0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb: $10,670,257
0x6277ab36a67cfb5535b02ee95c835a5eec554c07: $7,787,709
0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43: $293,349
0x9f09ec563222fe52712dc413d0b7b66cb5c7c795: $95,919

Aftermath#

The team acknowledged the occurrence of the exploit and stated that they have paused all markets on the Optimism chain. The markets on the Base network were reportedly safe. They have also published a detailed post-mortem report regarding the incident.

Solution#

To comprehensively address the vulnerabilities in Sonne Finance, both the precision loss issue inherent in Compound V2 forks and the specific issues related to the Timelock contract and governance setup must be tackled.

First, to mitigate the precision loss issue, all new markets should be initialized with a minimal but sufficient amount of assets. This step neutralizes the precision loss vulnerability by preventing markets from starting empty, thus avoiding exploitable rounding errors. Ensuring initial market funding is a fundamental measure that can effectively counter the precision loss issue across all Compound V2 forks.

In addition to addressing the precision loss issue, enhancing the security of the Timelock contract is crucial. The Timelock contract should be configured to allow only specific, authorized addresses—preferably multisignature wallets—to execute timelock transactions. This restriction helps prevent the unauthorized execution of critical functions. Regular and rigorous audits of the Timelock contract are essential to identify and address potential security flaws. Audits should be performed by both internal security teams and third-party security experts to ensure comprehensive coverage.

Strengthening governance procedures is also vital. Implementing a sequential execution plan for governance actions can ensure that each action item is contingent on the successful completion of the previous step. This approach guarantees that all security measures are in place before critical functions are executed. Instead of planning each action item as a separate transaction, actions should be chained sequentially into a single transaction where possible. This chaining prevents gaps in security that could be exploited. Additionally, introducing a more robust proposal voting and execution process, which includes additional verification steps and extended review periods, can ensure that proposals are thoroughly vetted before implementation.

Despite rigorous security protocols, completely eliminating vulnerability exploitation is unattainable. In these scenarios, partnering with Neptune Mutual becomes essential. Had the Sonne Finance team set up a dedicated cover pool with us before the incident, the negative impact of this exploit could have been significantly lessened. Neptune Mutual excels at providing coverage for losses due to smart contract vulnerabilities, employing parametric policies designed specifically for these distinct risks.

Working with Neptune Mutual streamlines the compensation process for users by minimizing the need for extensive proof of loss documentation. Following the confirmation and definitive resolution of an incident through our comprehensive incident resolution protocol, we swiftly focus on quickly providing financial relief to those affected. This method ensures that users impacted by such security breaches receive prompt assistance.

Our marketplace is available across several major blockchain networks, including EthereumArbitrum, and the BNB chain, providing widespread support to a diverse range of DeFi users. This extensive coverage strengthens our ability to safeguard against various vulnerabilities, thus improving the overall security of our extensive client base.

Reference Source PeckShield

By

Tags