Back to all stories
Blogs
Incident Analysis
Sonne Finance Incident Analysis
5/14/2024
Sonne Finance Incident Analysis

Introduction

On 14 May 2024, Sonne Finance was exploited for approximately $20M with a known precision loss vulnerability that was first seen in the Hundred Finance exploit in April 2023. The Sonne Finance exploit is the largest exploit to occur on the Optimism chain and is overall the 6th largest incident in 2024. The attacker took advantage of the known vulnerability when an empty pool had been newly created, after users voted to add Velo token to Sonne on the Optimism chain.

Background

soToken

Sonne Finance is a Compound V2 fork, their soToken is equivalent to the cToken in the Compound protocol.

“[cToken] is an EIP-20 compliant representation of balances supplied to the protocol. By minting cTokens, users (1) earn interest through the soToken’s exchange rate, which increases in value relative to the underlying asset, and (2) gain the ability to use cToken as collateral. cToken are the primary means of interacting with the Compound Protocol; when a user mints, redeems, borrows, repays a borrow, liquidates a borrow, or transfers cTokens, she will do so using the cToken contract.” Compound v2 Docs | cTokens

exchangeRate

The exchangeRate of soToken refers to how much of the underlying token one soToken is worth. The calculation formula is as follows. Compound v2 Docs | cTokens

Sonne1

Breaking it down:

  • totalCash: The amount of underlying token balance owned by this soToken contract.
  • totalBorrows: The amount of underlying token currently loaned out by the market.
  • totalReserves: Reserves are an accounting entry in each soToken contract that represents a portion of historical interest set aside as cash which can be withdrawn or transferred through the protocol’s governance.
  • totalSupply: Total Supply is the number of tokens currently in circulation in this soToken market.

Vulnerability

This root cause of this exploit was caused by precision loss, a widely known vulnerability in CompoundV2 forks that a number of projects have fallen victim to. The issue was first discovered in April 2023 when Hundred Finance was exploited for $7.5m. Other notable incidents include Onyx Protocol who lost $2m in November 2023 and Starlay who lost $2.1m in February 2024 via the same vulnerability.

The attacker manipulated the exchangeRate by depositing underlying tokens into an empty market. They then exploited rounding issues in the redeemUnderlying function to redeem underlying tokens with fewer soToken.

In this attack, the attacker initially manipulated the exchangeRate of the soVELO contract, causing 2 wei of soVELO to be valued at 35,471,603 VELO. Subsequently, during the redemption of VELO, due to rounding down, the amount of soVELO required for redemption was truncated to 1 (rounded down from 1.999994 to 1), allowing the attacker to redeem assets valued at 2 wei of soVELO using only 1 wei of soVELO.

Attack Flow

The attack on Sonne Finance began 2 days prior to the exploit transaction. The approximate timeline of the attack is as follows:

Proposal

4 May: Sonne Finance initiated Sonne Improvement Proposal 15 - Adding VELO on Sonne Finance (Optimism). Voting closed on 7 May and unanimously passed with 100% Yes votes.

Sonne Finance on Twitter / Snapshot

Preparation

As stated in their post-mortem Sonne Finance scheduled the required transactions on their multisig wallet, which implements a 2 day timelock, and also scheduled c-factors to coincide. Post-mortem, Sonne Finance exploit Tenderly Dashboard

After the 2-day timelock ended for the creation of markets, the attacker executed a transaction for adding c-factor to the markets. Tenderly Dashboard

In the transaction the attacker supplied 400000001 wei VELO to mint 2 wei soVELO.

Sonne2

Attack

The following attack flow is an analysis of transaction hash: 0x9312ae377d7ebdf3c7c3a86f80514878deb5df51aad38b6191d55db53e42b7f0 Tenderly Dashboard

  1. The attacker borrowed 35,469,150 VELO from the AMM pool and transferred all the VELO to the soVELO contract.

Sonne3

  1. As these VELO tokens were directly transferred (donated) to the soVELO contract without minting corresponding soVELO tokens, recalling the calculation formula of exchangeRate (exchangeRate = (totalCash + totalBorrows - totalReserves) / totalSupply), this effectively inflated the totalCash while the totalSupply remained unchanged (still at 2 wei). The current totalBorrows is 0, totalReserves is 0, and totalSupply is 2.

Sonne4

Sonne5

This resulted in the current exchangeRate becoming 17,735,851,964,756,377,265,143,988,000,000,000,000,000, which means 1 wei soVELO is valued at 17,735,851 VELO.

  1. The attacker created a contract and transferred 2 wei soVELO to it.

Sonne6

  1. Since 1 wei soVELO is valued at 17,735,851VELO now the attacker is able to borrow 265 WETH using 2 wei soVELO.

Sonne7

  1. The attacker called redeemUnderlying to redeem 35,471,603 VELO. The amount of VELO the attacker intended to redeem is 35,471,603,929,512,754,530,287,976 wei. At this time, the exchangeRate is 17,735,851,964,756,377,265,143,988,000,000,000,000,000. According to the calculation formula, the amount of soVELO the attacker should pay is calculated as follows:

35471603929512754530287976 * 1000000000000000000 / 17735851964756377265143988000000000000000000 = 1.999994

Due to a rounding error in the division, 1.999994 was truncated to 1. Consequently, the attacker redeemed 35,471,603 VELO by paying only 1 wei of soVELO instead of 1.999994 wei. After the redemption, the totalSupply of soVELO also decreased by the redeemed amount.

Sonne8

98cbab8e-e8dc-4268-914a-7782bc0924fb

f439cc77-6a38-4f60-bf1a-f92e70082336

  1. The attacker transferred 100 VELO to the soVELO contract, then minted 1 wei of soVELO, causing the totalSupply of soVELO to return to 2 wei. The attacker then repeated steps 3 to 5 as described previously to drain soUSDC and soWETH markets.

Sonne9

Fund Tracing

The attacker was able to drain multiple pools and take assets totalling approximately $20 million. The assets comprised of the following:

soVELO 2,352.96 VELO

soWETH 795.38 WETH

soUSDC.e 768,933.76 USDC.e

soWBTC 162.92 WBTC

sowstETH 1667.45 wstETH

soUSDT 777632.56 USDT

soUSDC 1264790.21 USDC

Victim Addresses

0xec8fea79026ffed168ccf5c627c7f486d77b765f 0xf7b5965f5c117eb1b5450187c9dcfccc3c317e8e 0xe3b81318b1b6776f0877c3770afddff97b9f5fe5

Fund Flow

As of writing the exploiter holds the majority of funds in the following addresses:

0x5D0D99e9886581ff8fCB01F35804317f5eD80BBb (OP) $6,139,748 0x6277aB36a67CfB5535b02eE95C835A5eeC554c07 (OP) $4,555,874 0x6277aB36a67CfB5535b02eE95C835A5eeC554c07 (ETH) $3,337,615 0x3b39652151102d19Ca41544a635956EF97416598 (OP) $2,610,288 0x4FaC0651BcC837Bf889F6a7D79C1908419fE1770 (OP) $1,633,691 0x9f44c4eC0b34C2DDe2268eD3ACbf3Aba8Eacde51 (OP) $1,382,446 0x5D0D99e9886581ff8fCB01F35804317f5eD80BBb (ETH) $612,170 0xae4A7cDe7C99fb98B0D5fA414aa40F0300531F43 (OP) $296,917 0x9f09Ec563222FE52712dc413d0B7b66CB5C7C795 (OP) $95,782

Conclusion

Though this was a known vulnerability that Sonne Finance were aware of, their multisig execution is permissionless on Optimism where as it isn’t on Base. This allowed the attacker to circumvent the precautionary measures Sonne Finance took to prevent the exploit from happening. Sonne Finance are also fortunate not to lose more funds. X user @tonyke_bot detailed how $6.5 million was saved by buying $100 worth of VELO which was added to the soVELO pool. Tony KΞ on Twitter / X

Screenshot 2024-05-15 at 17.49.50

A security audit by CertiK highlights the known precision issue as a major risk which will help you manage and mitigate the issue as well as provide insight against other unforeseen circumstances.