$20 Million Crypto Heist Reveals Vulnerability in Sonne Finance

Sonne Finance, a crypto platform, fell victim to a sophisticated attack that resulted in the theft of approximately $20 million worth of crypto assets. The attacker exploited a vulnerability in Sonne Finance’s VELO integration with the Optimism network, employing a complex two-step process to manipulate the system.

The attack unfolded over a two-day period, starting from the date of the incident. Prior to the attack, Sonne Finance had enabled VELO transactions on the Optimism blockchain through a unanimous vote. All relevant transactions were completed using a multi-sig wallet that included a two-day time lock for added security.

After the two-day counting period, the attacker introduced a “c-factor” to the markets. They sent a tiny VELO transaction of 400,000,001wei, minting only 2 wei in return. This allowed them to borrow 35,469,150 VELO from the AMM liquidity pool using the newly issued soVELO. However, the transfer did not mint additional soVELO tokens, creating an imbalance in the system.

Taking advantage of rounding errors in the division calculations, the attacker was able to borrow 265 wei of Wrapped Ethereum with just 2 wei of soVELO as collateral. They redeemed the borrowed tokens for only 1 wei of soVELO instead of the suggested 1 VELO.

The attacker continued their operation by using 100 wei of VELO to generate another wei of soVELO, draining assets from multiple sources. The stolen assets included VELO, WETH, USDC, e ish, WBTC, wstETH, and USD.

This attack highlights the importance of conducting thorough code audits and implementing robust security measures in decentralized environments. Even the smallest oversight can lead to devastating breaches, underscoring the need for constant vigilance in cryptocurrency security.