Sonne Finance, a pioneering decentralized finance (DeFi) protocol operating on the Optimism Mainnet, has fallen victim to a devastating exploit, resulting in a loss exceeding $20 million. The attack, suspected to have been orchestrated through a time-locked contract loophole, has sent shockwaves through the burgeoning DeFi landscape.
According to insights from PeckShield, a blockchain security firm, Sonne Finance was targeted in what appears to be a carefully orchestrated attack, leveraging vulnerabilities in the protocol's smart contract infrastructure. The exploit, which involved a known donation attack technique commonly associated with Compound v2 forks, unfolded despite the platform's proactive measures to bolster security.
Optimism markets suspended
Sonne Finance, notable as the first platform to launch a lending protocol on Optimism, promptly responded to the breach with an official blog post. In the statement, the team expressed deep regret over the incident and detailed the sequence of events leading to the exploit. The attackers capitalized on a two-day timelock feature, strategically executing transactions to manipulate market creation and collateral factors within the protocol.
Despite efforts to detect and mitigate the hack swiftly, the Sonne Finance team acknowledged the loss of funds and initiated an urgent investigation into the perpetrators' identities. Notably, the team highlighted the vigilant efforts of Seal contributors, whose prompt action helped salvage approximately $6.5 million by injecting VELO tokens into affected markets.
The exploit, detected by the Sonne Finance team approximately 25 minutes after it occurred, triggered the immediate suspension of all Optimism markets operated by the protocol. Moreover, the team pledged to offer a bounty to the exploiters and refrain from pursuing legal action if the misappropriated funds were returned.
In a bid to contain further damage and safeguard user assets, Sonne Finance promptly paused all market activities and engaged in dialogue with relevant stakeholders to explore avenues for fund recovery. The team reiterated its commitment to transparency and accountability, vowing to collaborate with external parties to address the aftermath of the attack comprehensively.