價值 2000 萬美元的 Sonne Finance DeFi 駭客事件：漏洞和利用被揭開

一名經驗豐富的加密攻擊者利用 Sonne Finance 的 VELO 與 Optimism 網路的集成，在兩天內從該公司損失了約 2000 萬美元。透過操縱協議中的“c 因子”，攻擊者利用舍入誤差以最少的抵押品借入大量資金。這次成功的駭客攻擊凸顯了去中心化金融環境中徹底的程式碼審計和強大的安全措施的重要性。

Unraveling the Staggering $20 Million Sonne Finance Hack: A DeFi Odyssey of Vulnerability and Exploitation

揭秘價值 2000 萬美元的 Sonne 金融黑客事件：漏洞與利用的 DeFi 之旅

In the annals of decentralized finance (DeFi), the recent hack of Sonne Finance stands as a sobering reminder of the potential pitfalls lurking within the burgeoning realm of blockchain technology. A cunning attacker, exploiting a complex vulnerability, managed to siphon approximately $20 million from the company's coffers, casting a shadow over the industry's security landscape.

在去中心化金融（DeFi）的編年史中，Sonne Finance 最近的駭客事件清醒地提醒人們，區塊鏈技術新興領域中潛藏著潛在的陷阱。狡猾的攻擊者利用一個複雜的漏洞，成功從公司金庫中竊取了約 2000 萬美元，為產業安全格局蒙上了陰影。

The Path to Compromise: A Multi-Layered Attack

妥協之路：多層攻擊

The attack played out over several days, with the attacker meticulously targeting the backdoor of Sonne Finance's integration with the Optimism network. This integration, designed to enable VELO transactions on the network, had culminated in a series of transactions orchestrated through the company's multi-signature (multi-sig) wallet.

這次攻擊持續了幾天，攻擊者精心瞄準了 Sonne Finance 與 Optimism 網路整合的後門。這種整合旨在實現網路上的 VELO 交易，最終透過公司的多重簽名 (multi-sig) 錢包精心策劃了一系列交易。

The multi-sig wallet, however, featured a built-in security measure: a two-day time lock. This delay was intended to provide an additional layer of protection by ensuring that transactions would not be executed immediately.

然而，多重簽名錢包具有內建的安全措施：兩天的時間鎖定。這種延遲的目的是透過確保交易不會立即執行來提供額外的保護層。

A Stealthy Maneuver: Exploiting the "c-Factor"

秘密行動：利用“c 因素”

With the two-day lock period nearing its end, the attacker made a seemingly innocuous move: they transferred a minuscule amount of VELO (0.400000001 wei) to mint a mere 2 wei. This transaction, however, became the catalyst for the subsequent exploit.

隨著兩天的鎖定期即將結束，攻擊者做出了一個看似無害的舉動：他們轉移了微量的 VELO（0.400000001 wei），僅鑄造了 2 wei。然而，這筆交易成為了後續利用的催化劑。

Unraveling the System's Imbalance

解決系統的不平衡問題

The newly minted soVELO, a derivative token, borrowed a significant amount (35,469,150 VELO) from the AMM liquidity pool. However, surprisingly, this transfer did not result in the minting of additional soVELO tokens, creating a significant imbalance. The total liquidity in the system surged, while the total supply of soVELO remained unchanged at a mere 2 wei.

新鑄造的衍生代幣 soVELO 從 AMM 流動性池借入了大量資金（35,469,150 VELO）。然而，令人驚訝的是，這種轉移並沒有導致額外的 soVELO 代幣的鑄造，從而造成了嚴重的不平衡。系統總流動性激增，而soVELO的總供應量維持在2wei不變。

Leveraging this imbalance, the attacker skillfully exploited a rounding error in the division calculations. This error allowed them to borrow a staggering 265 wei of Wrapped Ethereum (WETH) with just two wei of soVELO as collateral.

利用這種不平衡，攻擊者巧妙地利用了除法計算中的捨入誤差。這個錯誤讓他們僅用 2 wei 的 soVELO 作為抵押品就藉出了驚人的 265 wei 的 Wrapped Ethereum (WETH)。

A Cascade of Drained Assets

一系列資產被耗盡

The attacker's exploit did not end there. They continued to manipulate the system, draining assets from various sources. The stolen assets included a substantial amount of VELO, WETH, USDC, WBTC, wstETH, and USDT.

攻擊者的利用並沒有就此結束。他們繼續操縱系統，從各種來源榨取資產。被盜資產包括大量 VELO、WETH、USDC、WBTC、wstETH 和 USDT。

A Wake-Up Call for DeFi Security

為 DeFi 安全敲響警鐘

The Sonne Finance hack exposes a fundamental flaw in the DeFi ecosystem: the need for rigorous code auditing and robust failsafe mechanisms to protect digital assets. The success of the attack, stemming from a seemingly minor rounding error, underscores the importance of thorough security measures.

Sonne Finance 駭客事件揭露了 DeFi 生態系統的一個根本缺陷：需要嚴格的程式碼審計和強大的故障安全機制來保護數位資產。這次攻擊的成功源自於看似微小的捨入誤差，凸顯了徹底安全措施的重要性。

Organizations operating in the DeFi space must prioritize the implementation of stringent security protocols, including frequent code auditing, real-time monitoring, and comprehensive risk assessments. Only by embracing a proactive approach to security can the industry mitigate the risks and ensure the long-term viability of DeFi.

在 DeFi 領域運作的組織必須優先考慮實施嚴格的安全協議，包括頻繁的程式碼審計、即時監控和全面的風險評估。只有採取積極主動的安全措施，產業才能降低風險並確保 DeFi 的長期生存能力。