Lending protocol Sonne Finance halted operations after a hack drained $20 million in cryptocurrencies, including WETH and USDC.
The Attack Timeline
On May 14, around 10:30 pm UTC, Web3 security firm Cyvers detected an ongoing attack on Sonne Finance’s USD and Wrapped Ether (WETH) contracts. Initially, the attacker had only stolen $3 in cryptocurrency. However, Sonne Finance only became aware of the issue 25 minutes later. By that time, $20 million worth of WETH, Velo (VELO), soVELO, and Wrapped USDC (USDC.e) had already been drained.
Initial Response
On May 15 at 12:11 a.m. UTC, Sonne Finance made a vague announcement on X, stating, “All markets on Optimism have been paused” and that “Markets on Base are safe.” They assured users that more information would be provided “with time.” Soon after, the protocol partnered with Cyvers to investigate the situation further.
How Sonne Finance Was Exploited
Three hours after their initial announcement, Sonne explained the situation further in a press release. The Optimism chain of Sonne Finance was exploited through a known donation attack on Compound v2 forks. Previously, measures were in place to combat the issue with 0% collateral factors, adding collateral, and burning them, before gradually increasing the collateral factors based on proposals.
However, a recent proposal was approved to integrate VELO markets into Sonne. Transactions were scheduled on a multi-sig wallet with a 2-day timelock. The exploit occurred as the timelock ended, allowing the hacker to execute transactions for market creation and adding collateral factors. After executing the markets undetected, the attacker was able to exploit the protocol for $20 million. However, the remaining $6.5M was saved by adding $100 worth of VELO to the markets.
The Aftermath and Recovery Efforts
Sonne Finance is working to recover the stolen funds, considering a bug bounty for their return. Usually, a 10% reward would be given to an exploiter for discovering a security flaw. However, it seems unlikely the hacker will comply. According to blockchain investigator PeckShield, the exploiter has already moved $7.8 million to a new wallet address. The exploiter then swapped 59 WBTC for roughly 1,185 Ether and 183,000 Dai, suggesting an intent to launder the stolen funds through a privacy protocol like Tornado Cash.
Tornado Cash in Crypto Crime
Tornado Cash is an open-source cryptocurrency tumbler, also known as a “crypto mixer.” This tool obscures the path of crypto transactions, making it extremely difficult to determine the original source of the funds. Although created as a privacy tool, hackers often use these mixing services to launder stolen funds via decentralized exchange platforms.
Crypto mixers have seen significant adoption in recent years. In October 2023, over $77 million in assets were processed through Tornado Cash contracts. However, the majority of this adoption has been with illicit assets. Over the years, hackers have chosen crypto-mixing services over centralized exchanges as once they are identified, addresses are blocked by exchanges. Tornado Cash bypasses this, as a way to legitimize their source of funds by removing connections to a hacked wallet or illicit crypto activity.
Recently, the United Nations sanctions monitors noted that North Korea was involved in laundering $147.5 million in stolen cryptocurrency using Tornado Cash. Almost all the top multi-million dollar crypto hacks have utilized Tornado Cash to launder the proceeds, as per an Arkham Intelligence report. This prompted the US Treasury to impose sanctions on Tornado Cash in August 2022. As a result, its founders were charged with money laundering and sanctions violations a year later.
While opinions within the crypto community vary regarding the adoption of privacy tools, there is a consensus against the persecution of developers solely for creating an application. Although crypto-related frauds and scams are on the decline, it is important that users are educated on how to protect themselves from crypto crime.
