In May 2024, Sonne Finance suffered a hack in which the attacker was able to drain an estimated $20 million from the protocol’s lending pools. The attacker took advantage of a known issue with forks of Compound Finance v2.
Inside the Attack
Compound forks have a well-known issue when deploying new markets. This issue has been exploited multiple times in the past, including Hundred Finance and the Onyx Protocol. The Sonne Finance team was aware of the potential risks and used a multi-step process to manage the risk, including adding markets with no collateral, adding and burning collateral, and then, finally, increasing the c-factors associated with the markets.
However, when the Sonne Finance team set up the transactions for their new VELO markets, they did so in multiple transactions. Due to a timelock, the transaction to create the market and the one to modify the c-factors were scheduled for two days later. Additionally, the transactions were configured so that anyone could execute them once the timelock expired.
By breaking these operations into several permissionless transactions, the Sonne Finance team opened the door for an attacker to control when and how the transactions were executed. The attacker was able to create the market and exploit the known Compound donation vulnerability, draining about $20 million from the protocol. An additional $6.5 million was saved by a Seal contributor who added some VELO tokens to the market before the attacker could steal it.
The Sonne Finance team became aware of the attack about 25 minutes after it occurred. However, by that time, all they could do was pause their markets and offer a 10% bounty payment to the attacker if they elected to return the remainder of the stolen funds.
Lessons Learned from the Attack
The Sonne Finance attacker exploited a well-known donation vulnerability in Compound Finance forks. While Sonne Finance was aware of the vulnerability and implemented security controls to mitigate it, they were ineffective. Breaking the process of deploying a new market into multiple, permissionless transactions allowed the attacker to control the process and undermine its effectiveness. If the protocol used batching to incorporate everything into a single transaction or restricted the executor role, then the attack couldn’t have been performed.
When designing security protocols, it’s important to consider how they could be defeated, circumvented, or abused. For help in protecting your DeFi project against similar attacks, get in touch with Halborn.