Post-mortem, Sonne Finance exploit

We are extremely sorry to announce that Sonne Finance (Optimism)has been exploited with known donation attack to Compound v2 forks.

We avoided the issue in the past, by adding the markets with 0% collateral factors, adding collateral and burn them, only then increase the c-factors according to the proposals.

As you might know, we recently passed a proposal to add VELO markets to Sonne.

https://twitter.com/SonneFinance/status/1786871066075206044

We scheduled the transactions on multisig wallet, and because there is 2 days timelock, we also scheduled c-factors to be executed in 2-days :

https://optimistic.etherscan.io/tx/0x18ebeb958b50579ce76528ed812025949dfcff8c2673eb0c8bc78b12ba6377b7

Our multisig execution is not permissionless Base, but permissionless on Optimism.

The exploiter executed 4 of the transactions when 2-day timelock ends for the creation of markets, and after that, executed the transaction for adding c-factor to the markets :

https://optimistic.etherscan.io/tx/0x45c0ccfd3ca1b4a937feebcb0f5a166c409c9e403070808835d41da40732db96#eventlog

https://optimistic.etherscan.io/tx/0x9312ae377d7ebdf3c7c3a86f80514878deb5df51aad38b6191d55db53e42b7f0#eventlog

After the execution of the markets without us noticing, the attacker was able to exploit the protocol for ~$20M with the known donation attack.

https://optimistic.etherscan.io/tx/0x9312ae377d7ebdf3c7c3a86f80514878deb5df51aad38b6191d55db53e42b7f0

Thanks to Seal contributors noticing the issue fast, the remaining ~$6.5M is saved through adding ~$100 worth of VELO to the markets.

https://twitter.com/tonyke_bot/status/1790547461611860182

Sonne team became aware of the issue 25 minutes after the exploit.

After noticing the issue war room has been assembled. Despite not being able to save the funds, the investigation on the exploiter’s identity is still going on.

Related addresses to attacker:

0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43

0x4ab93fc50b82d4dc457db85888dfdae28d29b98d

0x02fa2625825917e9b1f8346a465de1bbc150c5b9

0xbd18100a168321701955e348f03d0df4f517c13b

0x7e97b74252b6df53caf386fb4c54d4fb59cb6928

0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43

0x9f09ec563222fe52712dc413d0b7b66cb5c7c795

0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb

0x6277ab36a67cfb5535b02ee95c835a5eec554c07

We paused the markets as fast as we can to mitigate further damages.

https://twitter.com/SonneFinance/status/1790535383005966554

We are ready to give bounty to exploiter as well as not to commit pursuing the issue further, in case of returning the funds.

We are sincerely sorry about the situation, and we are doing everything in our power and we are in contact with anyone that can help with recovering the funds.

For further information or to coordinate to recover the funds, please visit our project’s Discord.