DeFi platform Sonne Finance, a decentralized, non-custodial liquidity market protocol on Optimism Mainnet and Base, has suffered a major setback after a hacker stole roughly $20 million worth of cryptocurrency.
In a post-mortem published on Medium by the multi-chain protocol, Sonne finance noted that the attack targeted a vulnerability in Sonne’s Optimism network, a blockchain platform designed for faster and cheaper transactions.
Sonne Finance recently added a new digital asset called VELO to its platform. Unfortunately, this addition introduced a security flaw despite the platform’s previous efforts to prevent such attacks. The vulnerability allowed the attacker to exploit a planned transaction initiated by Sonne Finance through a special multi-signature wallet.
As you might know, we recently passed a proposal to add VELO markets to Sonne. We scheduled the transactions on multisig wallet, and because there is 2 days timelock, we also scheduled c-factors to be executed in 2-days.
Our multisig execution is not permissionless Base, but permissionless on Optimism. The exploiter executed 4 of the transactions when 2-day timelock ends for the creation of markets, and after that, executed the transaction for adding c-factor to the markets.
A multi-signature wallet works similarly, requiring multiple approvals before transactions can be processed. Optimism allows for permissionless execution on these multi-signature wallets, meaning anyone can execute transactions once the required approvals are met.
In other new, A report by Chainalysis sheds light on the analysis of stolen funds showing that on-chain vulnerabilities were prevalent in the early part of the year. But there is more.
The attacker used the planned transaction as a springboard, executing four additional transactions after the time lock expired on the multi-signature wallet. This manipulation allowed them to siphon off an estimated $20 million.
After the execution of the markets without us noticing, the attacker was able to exploit the protocol for ~$20M with the known donation attack.
Sonne Finance did salvage a small portion, around $6.5 million, by taking quick action after it became aware of the issue 25 minutes after the exploit and has paused the market to mitigate further damages.
Thanks to Seal contributors noticing the issue fast, the remaining ~$6.5M is saved through adding ~$100 worth of VELO to the markets. Sonne team became aware of the issue 25 minutes after the exploit.
The platform has acknowledged the incident and stated it is actively working to recover the stolen funds and minimize the impact on its users. As part of the strategy to recover the funds, Sonne Finance has a bounty on the hacker, hoping to incentivize the return of the stolen cryptocurrency.
