Sonne Finance Exploit - May 14, 2024
Overview
On 14 May 2024, Sonne Finance was exploited for approximately $20M with a known precision loss vulnerability that was first seen in the Hundred Finance exploit in April 2023. The Sonne Finance exploit is the largest exploit to occur on the Optimism chain and is overall the 6th largest incident in 2024.
The Vulnerability
Sonne Finance is a Compound V2 fork; their soToken is equivalent to the cToken in the Compound protocol. The root cause of this exploit was caused by precision loss, a widely known vulnerability in CompoundV2 forks that a number of projects have fallen victim to. The issue was first discovered in April 2023 when Hundred Finance was exploited for $7.5m. Other notable incidents include Onyx Protocol who lost $2m in November 2023 and Starlay who lost $2.1m in February 2024 via the same vulnerability.
How the Attack Worked
The attacker manipulated the exchangeRate by depositing underlying tokens into an empty market. They then exploited rounding issues in the redeemUnderlying function to redeem underlying tokens with fewer soToken. In this attack, the attacker initially manipulated the exchangeRate of the soVELO contract, causing 2 wei of soVELO to be valued at 35,471,603 VELO.
Context and Response
The attacker took advantage of the known vulnerability when an empty pool had been newly created, after users voted to add Velo token to Sonne on the Optimism chain. The Sonne team became aware of the issue 25 minutes after the exploit. Thanks to Seal contributors noticing the issue fast, the remaining ~$6.5M was saved through adding ~$100 worth of VELO to the markets.
Sources