Post-mortem, Sonne Finance exploit
We are extremely sorry to announce that Sonne Finance (Optimism)has been exploited with known donation attack to Compound v2 forks.
We avoided the issue in the past, by adding the markets with 0% collateral factors, adding collateral and burn them, only then increase the c-factors according to the proposals.
As you might know, we recently passed a proposal to add VELO markets to Sonne.
https://twitter.com/SonneFinance/status/1786871066075206044
We scheduled the transactions on multisig wallet, and because there is 2 days timelock, we also scheduled c-factors to be executed in 2-days :
Our multisig execution is not permissionless Base, but permissionless on Optimism.
The exploiter executed 4 of the transactions when 2-day timelock ends for the creation of markets, and after that, executed the transaction for adding c-factor to the markets :
After the execution of the markets without us noticing, the attacker was able to exploit the protocol for ~$20M with the known donation attack.
Thanks to Seal contributors noticing the issue fast, the remaining ~$6.5M is saved through adding ~$100 worth of VELO to the markets.
https://twitter.com/tonyke_bot/status/1790547461611860182
Sonne team became aware of the issue 25 minutes after the exploit.
After noticing the issue war room has been assembled. Despite not being able to save the funds, the investigation on the exploiter’s identity is still going on.
Related addresses to attacker:
0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43
0x4ab93fc50b82d4dc457db85888dfdae28d29b98d
0x02fa2625825917e9b1f8346a465de1bbc150c5b9
0xbd18100a168321701955e348f03d0df4f517c13b
0x7e97b74252b6df53caf386fb4c54d4fb59cb6928
0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43
0x9f09ec563222fe52712dc413d0b7b66cb5c7c795
0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb
0x6277ab36a67cfb5535b02ee95c835a5eec554c07
We paused the markets as fast as we can to mitigate further damages.
https://twitter.com/SonneFinance/status/1790535383005966554
We are ready to give bounty to exploiter as well as not to commit pursuing the issue further, in case of returning the funds.
We are sincerely sorry about the situation, and we are doing everything in our power and we are in contact with anyone that can help with recovering the funds.
For further information or to coordinate to recover the funds, please visit our project’s Discord.