News

Behind the $20 million Sonne Finance hack; Revealing technical details

Published

11 months ago

on

Surprisingly, a crypto attacker managed to hack Sonne Finance to carry out a heist using a highly complex exploit that drained the company’s assets, netting the attacker approximately $20 million. The attack took place over a few days, carefully spotting the backdoor of Sonne Finance’s VELO integration with the Optimism network.

Here are the details of the attack.

How it all happened

The two-day exploit transaction began from the date of the attack according to the Detailed analysis published by CertiK. A few days before, Sonne Finance held a unanimous vote to make VELO transactions possible on the Optimism blockchain and finalized all relevant transactions via the multi-sig wallet.

This wallet included a two-day time lock designed to provide an extra layer of security by delaying transactions for two days.

Once the two-day counting period ended, the attacker implemented a “C Factor” on the markets in the afternoon. At this crucial stage, the vulnerable attacker transmitted 400,000,001wei VELO (a tiny portion of the VELO token) in order to strike just 2 wei.

Operate the system

The one who got the loan was the newly issued soVELO, which borrowed 35,469,150 VELO from the AMM liquidity pool immediately after the transfer of the overcollateralized VELO to the soVELO contract.

However, this transfer did not generate additional soVELO tokens, leading to an imbalance. The total cash in the system continued to grow while the total amount of soVELO remained at 2 wei.

This is why the attacker managed to borrow 265 wei from Wrapped Ethereum, with only the collateral of two soVeLO wei. Due to rounding errors in the division calculations, the opponent was able to become the owner of 35,471,603 VELO. He exchanged the number of tokens for only 1 wei of soVELO instead of the suggested 1 VELO.

The drainage operation

The attacker then did not stop sufficiently. The second period, they had used 100 wei of VELO at the same time at soVELO, which generated another wei of soVELO for a total supply of 2 wei. In this way, they kept the system running and drained assets from multiple sources.

The stolen goods included: 2,352.96 VELO, 795.38 WETH, 768,933.76 US dollars. With the emergence of eish (a USDC coin on top of Ethereum), 162.92 WBTC (Wrapped Bitcoin), 1667. 45 wstETH (wrapped staked ETH), 777k. 566 USD (Tether) and 1,264,790.21 US dollars.

Lessons to learn

This bold feat is a stark reminder of the importance of conducting thorough code audits and implementing robust security measures to protect digital assets in decentralized environments.

Even the slightest oversight can pave the way for catastrophic breaches, highlighting the crucial need for vigilance when it comes to cryptocurrency security.

Also discover: Crypto Hack Report Q1 2024: Trends, Losses and Recovery Efforts

Could this happen again? Yes. It is important to keep your investments safe. Read this guide now: A Complete Guide to Keeping Your Crypto Safe



Fuente

Related Topics:

Leave a Reply

Your email address will not be published. Required fields are marked *

Información básica sobre protección de datos Ver más

  • Responsable: Miguel Mamador.
  • Finalidad:  Moderar los comentarios.
  • Legitimación:  Por consentimiento del interesado.
  • Destinatarios y encargados de tratamiento:  No se ceden o comunican datos a terceros para prestar este servicio. El Titular ha contratado los servicios de alojamiento web a Banahosting que actúa como encargado de tratamiento.
  • Derechos: Acceder, rectificar y suprimir los datos.
  • Información Adicional: Puede consultar la información detallada en la Política de Privacidad.

Trending

Exit mobile version