Cyber Incident Victim: Sonne Finance
Date:
May 2024
Location:
United States of America
Summary
Sonne Finance experienced a $20 million exploit targeting its USD Coin and Wrapped Ether contracts due to a known donation attack vulnerability in its Compound v2 forks, which the attacker exploited by manipulating scheduled transactions after a timelock expired. The hacker drained funds including WETH, VELO, soVELO, and Wrapped USDC, transferring $7.8 million to a new wallet and converting portions to Ether and Dai, likely to obscure tracing. The protocol paused all markets to mitigate further losses, saving approximately $6.5 million through rapid intervention, and offered a bounty for fund recovery, though the exploiter showed no intent to negotiate. An investigation into the attacker’s identity and fund tracing is ongoing, with community criticism highlighting prior awareness of the underlying risks in the forked codebase.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 14, 2024, at approximately 10:30 pm UTC, Web3 security firm Cyvers detected an ongoing attack against Sonne Finance’s lending protocol on the Optimism network, specifically targeting its USD Coin (USDC) and Wrapped Ether (WETH) contracts. The exploit involved a known donation attack vector affecting Sonne’s Compound v2 forks, which had a documented vulnerability. By the time Sonne Finance became aware of the breach 25 minutes later, the attacker had already drained approximately $20 million in cryptocurrencies, including WETH, Velo (VELO), soVELO, and Wrapped USDC (USDC.e). The attack occurred during the execution of a pre-approved governance proposal to add VELO markets to the protocol. Sonne had scheduled the market creation and collateral factor (c-factor) adjustments via a multisig wallet with a two-day timelock, intending to mitigate risks by initially setting collateral factors to zero before gradual increases. However, the exploiter executed four transactions immediately after the timelock expired, activating the markets and manipulating c-factors before Sonne’s team could intervene.
Sonne Finance paused all Optimism markets at 12:11 am UTC on May 15 to prevent further losses and initiated a collaboration with Cyvers to investigate the breach. Blockchain investigator PeckShield reported the attacker moved $7.8 million of the stolen funds to a new wallet, converting 59 Wrapped Bitcoin (WBTC) into 1,185 Ether (ETH) and 183,000 Dai (DAI), likely to obscure tracing through privacy tools like Tornado Cash. Seal contributors mitigated additional losses by depositing $100 worth of VELO into the markets, preserving approximately $6.5 million in remaining assets. Sonne’s internal post-mortem identified eight attacker-linked addresses and disclosed efforts to negotiate a bounty for fund recovery, though the exploiter showed no willingness to engage. Concurrently, BlockTower Capital, a crypto institutional investment firm, faced an unrelated exploit partially draining its main hedge fund, though no connection to the Sonne incident was established. Sonne emphasized transparency in its communications, sharing transaction hashes and attacker addresses publicly while continuing forensic investigations to trace the stolen assets. The protocol’s operations remained paused indefinitely as recovery efforts progressed without resolution.