The Sonne Finance decentralized landing protocol was exposed to an exploit that caused about $20 million in damage.
According to the statement, the attacker used a "known donation attack" on the Compound v2 forks, one of which is Sonne Finance.
As a result of the hack, the protocol team suspended its work on the L2 solution of Optimism. Operations on Base continue as normal.
In 2023, Compound specialists described a vulnerability that allows attacking markets with low supply and a non-zero collateral ratio (CF) on the second version of the platform.
According to experts, in order to extract almost every asset on the protocol, a hacker needs to consistently repeat several steps in all cases:
* create and finance a new contract;
* issue collateral tokens on an empty market and buy back most of them;
* donate these coins to raise the exchange rate;
* use this overpriced collateral to borrow another asset;
* return donations by redeeming collateral;
* liquidate the borrower's contract with the borrowed funds and redeem collateral tokens.
The simplest solution for existing projects based on Compound v2 experts called the installation of zero CF for new markets.
The Sonne Finance team assured that they followed this recommendation. However, when adding support for the token protocol, VELO has scheduled the fulfillment of credit conditions (c-factors) in two days.
According to the developers, the attacker waited for the unlock and made four transactions to create markets and another one to add c-factors.
Sonne Finance confirmed that they learned about the attack from warnings from community members.
The immediate response prevented the theft of approximately $6.5 million more in assets, the team said.
The developers added that they continue to "investigate the identity of the hacker", but are ready to offer him a reward for the return of withdrawn funds.
According to the statement, the attacker used a "known donation attack" on the Compound v2 forks, one of which is Sonne Finance.
As a result of the hack, the protocol team suspended its work on the L2 solution of Optimism. Operations on Base continue as normal.
In 2023, Compound specialists described a vulnerability that allows attacking markets with low supply and a non-zero collateral ratio (CF) on the second version of the platform.
According to experts, in order to extract almost every asset on the protocol, a hacker needs to consistently repeat several steps in all cases:
* create and finance a new contract;
* issue collateral tokens on an empty market and buy back most of them;
* donate these coins to raise the exchange rate;
* use this overpriced collateral to borrow another asset;
* return donations by redeeming collateral;
* liquidate the borrower's contract with the borrowed funds and redeem collateral tokens.
The simplest solution for existing projects based on Compound v2 experts called the installation of zero CF for new markets.
The Sonne Finance team assured that they followed this recommendation. However, when adding support for the token protocol, VELO has scheduled the fulfillment of credit conditions (c-factors) in two days.
According to the developers, the attacker waited for the unlock and made four transactions to create markets and another one to add c-factors.
Sonne Finance confirmed that they learned about the attack from warnings from community members.
The immediate response prevented the theft of approximately $6.5 million more in assets, the team said.
The developers added that they continue to "investigate the identity of the hacker", but are ready to offer him a reward for the return of withdrawn funds.
