Staggeringly, a crypto attacker succeeded in the hack on Sonne Finance to conduct a heist using a very complex exploit that drained the company’s assets, bringing in about $20 million to the attacker. The attack played out for a few days, spotting carefully the backdoor of Sonne Finance’s VELO integration with the Optimism network.
The Course of the Strike
The exploit transaction of two days duration started from the date of the attack according to the detailed analysis released by CertiK. A few days before, Sonne Finance had carried out a unanimous vote to make VELO transactions possible on the Optimism blockchain and finished all the relevant transactions through the multi-sig wallet.
This wallet included a two-day time lock which was designed to provide an added layer of security by causing transactions to be delayed for two days.
With the completion of the two-day counting period, the attacker implemented a “c-factor” to the markets by afternoon. At this crucial step, the Vulnerable attacker transmitted 400,000,001wei VELO (a minuscule part of the VELO token) in order to mint only 2 wei.
Exploiting the System
The one to get the loan was the newly issued soVELO which borrowed 35,469,150 VELO from the AMM liquidity pool immediately after the overcollateralized VELO was moved to the soVELO contract.
However, this transfer didn’t mint additional soVELO tokens, leading to an imbalance. The total cash money in the system continued to grow while the total quantity soVELO remained at 2 wei.
That is why the attacker successfully borrowed 265 wei of Wrapped Ethereum, with just the collateral as two wei soVeLO. Due to rounding errors in the division calculations, the adversary was able to become the owner of 35,471,603 VELO. He redeemed the number of tokens for only 1 wei of soVELO instead of the 1 VELO that was suggested.
The Drainage Operation
The attacker had not stopped sufficiently by then. The second period, they had used 100 wei of VELO at the same time at soVELO, so that generated another wei of soVELO as a total supply of 2 wei. This way they kept running the system and got assets drained from several sources.
The assets stolen included: 2,352. 96 VELO, 795. 38 WETH, 768,933. 76 USDC. With the emergence of e ish (a USDC coin on top of Ethereum), 162,92 WBTC (Wrapped Bitcoin), 1667. 45 wstETH (wrapped staked ETH), 777k. 566 USD (Tether) and 1,264,790. 21 USDC.
The fact that such small rounding omissions can lead to the hack’s success is a pointer to the need to audit the code effectively and have a robust failsafe in place for digital assets security in decentralized environments.
Also Check Out : Crypto Hack Report Q1 2024: Trends, Losses, and Recovery Efforts
Earn more PRC tokens by sharing this post. Copy and paste the URL below and share to friends, when they click and visit Parrot Coin website you earn: https://parrotcoin.net0
PRC Comment Policy
Your comments MUST BE constructive with vivid and clear suggestion relating to the post.
Your comments MUST NOT be less than 5 words.
Do NOT in any way copy/duplicate or transmit another members comment and paste to earn. Members who indulge themselves copying and duplicating comments, their earnings would be wiped out totally as a warning and Account deactivated if the user continue the act.
Parrot Coin does not pay for exclamatory comments Such as hahaha, nice one, wow, congrats, lmao, lol, etc are strictly forbidden and disallowed. Kindly adhere to this rule.
Constructive REPLY to comments is allowed