Breaking News: Optimism first lending protocol suffers a $20 million exploitation
Sonne Finance, operating on the Optimism network, has publicly apologized for a security breach where an exploiter used a known donation attack to exploit Compound v2 forks, resulting in a loss of approximately $20 million.
The donation attack is a type of exploit where an attacker manipulates the exchange rate of assets within a protocol to borrow more assets than they should be able to. Here’s how the attack unfolded:
- An exploiter deployed a suspicious contract targeting the velo contract in the Sonne Finance protocol, a fork of Compound v2.
- The exploiter then created a new borrower contract, minted collateral tokens in an empty market, and redeemed most of these tokens.
- They donated the redeemed asset tokens back to the protocol, inflating the exchange rate.
- Using the manipulated exchange rate, they borrowed a different asset.
- The exploiter redeemed the collateral to recover their donation.
- Finally, they liquidated the borrower contract position with the borrowed funds and redeemed the collateral token to reset the market.
This attack has affected other Compound v2 forks as well. Although the exploited code is present in the current version of Compound v2, the specific conditions that allow for the exploit (low total supply and non-zero collateral factor) do not exist in Compound v2 at the moment and are not a vulnerability in v3.
To mitigate such attacks, monitoring is in place for supply, borrow, liquidity levels, exchange rates, and asset prices in v2 markets. Vulnerable markets can have their collateral factor set to zero, or cTokens can be burned to prevent exploitation. For new markets, it’s recommended to keep the collateral factor at zero until a sufficient number of cTokens are minted to avoid similar vulnerabilities. This process should be preserved in the order of setting the collateral factor to zero, listing the market, minting cTokens, and then setting the collateral factor to non-zero. These steps are crucial for launching new markets safely.
Previously, Sonne Finance had avoided such issues by setting collateral factors to 0% and only increasing them after adding and burning collateral as per proposals. Despite a recent proposal to add VELO markets and a two-day timelock on transactions, the exploiter executed transactions to create markets and then added collateral factors, which went unnoticed until the funds were taken.
The Sonne team became aware of the exploit 25 minutes after it occurred and quickly assembled a response team. Although they were unable to recover the stolen funds, they managed to save around $6.5 million thanks to quick action by Seal contributors who added about $100 worth of VELO to the markets.
The markets were paused to prevent further damage, and the team is offering a bounty to the exploiter for the return of the funds, indicating they will not pursue the issue further if the funds are returned. The investigation into the exploiter’s identity is ongoing, with several related addresses being identified. The Sonne team is actively working to mitigate the situation and prevent future incidents.