DeFi platform Sonne Finance loses $20 million in crypto exploit | CryptoTvplus

DeFi platform Sonne Finance, a decentralized, non-custodial liquidity market protocol on Optimism Mainnet and Base, suffered a major setback after a hacker stole around $20 million worth of cryptocurrency.

In an autopsy published on Medium by Multi-Chain Protocol, Sonne finance noted that the attack targeted a vulnerability in Sonne’s Optimism Network, a blockchain platform designed for faster and cheaper transactions.

Sonne Finance recently added a new digital asset called VELO to its platform. Unfortunately, this addition introduced a security vulnerability despite the platform’s previous efforts to prevent such attacks. The vulnerability allowed the attacker to exploit a planned transaction initiated by Sonne Finance via a special multi-signature wallet.

As you may know, we recently adopted a proposal to add VELO markets to Sonne. We scheduled the transactions on the multisig wallet, and since there is a 2 day delay, we also scheduled the C factors to execute in 2 days.

Our multisig execution is not permissionless, but permissionless on Optimism. The exploiter executed 4 of the trades at the end of the 2 day time limit for creating markets, then executed the trade to add the C factor to the markets.

A multi-signature wallet works the same way, requiring multiple approvals before transactions can be processed. Optimism allows permissionless execution on these multi-signature wallets, meaning anyone can execute trades once the required approvals are obtained.

In other news, A report from Chainalysis sheds light on analysis of stolen funds, showing that on-chain vulnerabilities were widespread at the start of the year. But there is more.

The attacker used the intended transaction as a springboard, executing four additional transactions after the lock timeout on the multi-signature wallet expired. This manipulation allowed them to siphon off an amount estimated at $20 million.

After the markets were executed without us realizing it, the attacker was able to mine the protocol for approximately $20 million through the known donation attack.

Sonne Finance recovered a small portion, approximately $6.5 million, by taking swift action after learning of the problem 25 minutes after the exploit and suspending the market to mitigate further damage.

Thanks to Seal contributors who noticed the problem early, the remaining $6.5 million is saved by adding about $100 worth of VELO to the marketplaces. The Sonne team became aware of the problem 25 minutes after the exploit.

The platform acknowledged the incident and said it was actively working to recover the stolen funds and minimize the impact on its users. As part of the fund recovery strategy, Sonne Finance placed a bounty on the hacker, hoping to encourage the return of the stolen cryptocurrency.

Fuente