• Blockbasis
  • Posts
  • Sonne Finance: Decrypting the $20 Million DeFi Breach

Sonne Finance: Decrypting the $20 Million DeFi Breach

Analyzing the Vulnerabilities, Lessons Learned, and Implications for the Sonne Finance $20 Million DeFi Breach


The $20 million attack on Sonne Finance reveals DeFi's vulnerability. Exploiting Optimism, the attacker drained assets, echoing past exploits. Sonne's oversight highlights the need for robust security measures in DeFi. Urgent action is required to enhance security industry-wide. Will this prompt lasting changes in the DeFi space?

Make Sure This Hack Doesn’t Happen To You 🫵

Subscribe to Blockbasis and get access to our premium scanner to check whether your wallet or a contract is safeguarded from hacks 🔐

For a limited period only, you can get a 7 day FREE trial!

All for just $50/month after the trial.
Don't miss out! Grab your FREE trial today 👇

Sonne Finance has fallen victim to a $20 million flash loan attack, sending shockwaves through the cryptocurrency community and highlighting the inherent risks in decentralized finance (DeFi).

The breach was first detected late Tuesday when Nerv Alert identified an initial loss of $3 million. Sonne Finance responded with an announcement on Discord shortly after, but delayed notifying users on the social media platform X for several hours.

As the full extent of the damage became clear, losses were calculated to include $20 million worth of WETH, VELO, soVELO, and Wrapped USDC. The attack targeted the Optimism chain of Sonne Finance, exploiting a vulnerability linked to donation attacks on Compound v2 forks.

This incident mirrors a similar exploit on Hundred Finance, another Compound v2 fork, which occurred about a year ago. At that time, Hundred Finance issued warnings to other protocols using the same codebase.

Despite these prior alerts, Sonne Finance failed to implement measures that could have prevented this attack, raising questions about the security practices within DeFi protocols. The industry now faces renewed scrutiny as stakeholders wonder if these platforms will ever effectively address such vulnerabilities.

Receive weekly Bitcoin summaries with news, insights and analysis on all things Bitcoin, all for free.

Rinse, repeat, rekt—another DeFi protocol has fallen victim to a well-known exploit, leaving Sonne Finance reeling. This fork of Compound V2, which held just over $60 million in total value locked (TVL) prior to the attack, has become the latest casualty in the decentralized finance space.

In a striking failure to learn from history, Sonne Finance joins the ranks of protocols like Hundred Finance, which suffered a similar exploit a year ago. Despite the clear warning from past incidents, Sonne Finance failed to implement protective measures.

Luke Youngblood provided an analysis of the attack, explaining that the Sonne Finance team had deployed a new market contract for $VELO. A governance proposal was created to activate this market, entailing a four-day governance period before it went live. This period proved sufficient for attackers to exploit the protocol, leading to significant losses and raising serious questions about the security practices within DeFi protocols.

Three days after the governance proposal succeeded and the 24-hour timelock expired, it became executable by anyone on the Optimism network. The attacker, likely using a bot to ensure they were first, seized this opportunity.

In a single transaction, the attacker executed the proposal along with their attack payload. The proposal set the collateral factor on the Sonne $VELO market to 35%, creating a vulnerability that allowed the attacker to drain the protocol of at least seven figures in funds. This swift and calculated move underscores the pressing need for more robust security measures in decentralized finance protocols.

Stolen Funds currently held in several addresses:

Daniel Von Fange explored the critical errors made by Sonne Finance and provided recommendations for protocols using multisig wallets alongside timelock governance.

The summary: if a sequence of actions must occur in a specific order for safety, the governance process should ensure atomic execution, preventing selective action execution.

Sonne Finance issued a post-mortem on the exploit roughly five hours after the attack. They explained that while they had previously avoided the Compound V2 donation attack by gradually increasing collateral factors, a recent proposal to add VELO markets opened an exploit window.

After scheduling VELO integration transactions through their permissionless Optimism multisig, the attacker executed the changes and exploited the vulnerability to drain $20 million. Sonne Finance is working to recover the stolen funds and is considering a bug bounty for their return.

However, there was some positive news. MEV researcher Tony KΞ from fuzzland detailed how they prevented over $6.5 million from being hacked during the incident, using just $100. Additionally, a user pointed out that Mendi Finance's code is a friendly fork of Sonne Finance, raising concerns about potential exploitation.

Sonne was audited by Yearn Finance's yAudit, which had flagged the attack vector as a high-risk finding, noting “Unclear protection against Hundred Finance attack vector.”

This latest attack on a Compound V2 fork has sparked speculation that other forked protocols could be at risk.

The vulnerability is known and preventable, and this incident should serve as a wake-up call for other protocols to strengthen their defenses.

Will these protocols do their due diligence, or are more similar attacks on the horizon?

Get Ahead In Crypto. Join 15,000+ subscribers and get our free 5-min daily newsletter

The $20 million attack on Sonne Finance highlights a significant breach stemming from a failure to address a well-known vulnerability adequately.

Despite clear warnings from past incidents, such as the Hundred Finance exploit, Sonne's team proceeded with integrating new markets without robust safeguards against the donation attack vector.

This oversight, combined with lax governance permissions, facilitated the attacker's ability to siphon millions effortlessly.

The fact that auditors had flagged this risk as high severity renders this incident particularly inexcusable and alarming.

As speculation mounts about other Compound V2 forks potentially facing similar exposure, this incident serves as a wake-up call.

Prioritizing rapid deployments over thorough security reviews is a risky trade-off, as Sonne has discovered firsthand.

For DeFi to mature, teams must move beyond blindly replicating code they don't fully grasp.

Stringent pre-launch audits, ongoing monitoring for attack vectors, and robust recovery mechanisms are imperative. Otherwise, the ecosystem will continue to cycle through costly lessons with each keystroke.

The burning question remains: Will Sonne's $20 million lesson catalyze meaningful change, or will acceptable loss thresholds continue to rise until investor and user confidence is irreparably shattered?