Sonne Finance 遭受 2000 萬美元的攻擊，SONNE 代幣崩潰 60%

Sonne Finance 是一種去中心化借貸協議，遭受了 2000 萬美元的攻擊，導致其 SONNE 代幣下跌 60%。該攻擊利用了該協議的Compound v2分叉中的漏洞，使駭客能夠操縱市場並竊取各種代幣，包括以太幣、velo和穩定幣。 Sonne Finance 暫停了 Optimism 的運營，但 Base 的市場並未受到影響，該協議正在努力追回被盜資金。

Sonne Finance Exploited for $20 Million, Native Token SONNE Plummets 60%

Sonne Finance被利用2000萬美元，原生代幣SONNE暴跌60%

May 15, 2024

2024 年 5 月 15 日

Initial Report

初步報告

Sonne Finance, a decentralized lending protocol operating on the Optimism and Base blockchains, has become the victim of a $20 million exploit that has caused its native SONNE token to plummet by a staggering 60%. The attack, executed on Wednesday, leveraged a vulnerability in the protocol's implementation of Compound v2 forks, allowing the perpetrator to manipulate markets and siphon off various tokens, including ether, velo, and stablecoins.

Sonne Finance 是一種在 Optimism 和 Base 區塊鏈上運行的去中心化借貸協議，已成為 2000 萬美元漏洞的受害者，導致其原生 SONNE 代幣暴跌 60%。這次攻擊於週三執行，利用了Compound v2分叉協議實施中的漏洞，使犯罪者能夠操縱市場並竊取各種代幣，包括以太幣、velo和穩定幣。

Exploit Details

漏洞利用詳情

The attack unfolded as a "donation attack," whereby the perpetrator manipulated the exchange rate between two tokens by inflating the value of donated cryptocurrency. This deception misled the platform into believing it had more collateral than actually available, paving the way for the attacker to withdraw funds unhindered. Blockchain data indicates that the assailant successfully transferred millions of VELO, ether, and USD Coin (USDC) following the manipulation. The attacker subsequently converted $8 million of the stolen funds into bitcoin and ether, transferring them to a newly created wallet address in the early hours of the morning.

這次攻擊以「捐贈攻擊」的形式展開，攻擊者透過抬高捐贈的加密貨幣的價值來操縱兩種代幣之間的匯率。這種欺騙行為誤導平台相信其擁有的抵押品多於實際可用的抵押品，從而為攻擊者不受阻礙地提取資金鋪平了道路。區塊鏈數據顯示，攻擊者在操縱後成功轉移了數百萬 VELO、以太幣和美元硬幣（USDC）。攻擊者隨後將 800 萬美元被盜資金轉換為比特幣和以太幣，並在凌晨將其轉移到新創建的錢包地址。

Chronology of Events

事件年表

The exploit occurred shortly after Sonne Finance introduced token markets for Velodrome Finance's VELO, a decision prompted by a community proposal. The attacker capitalized on a two-day timelock to execute four transactions, creating markets and assigning collateral factors. Timelocks are smart contracts that automatically execute transactions at a predetermined time, in this case, two days after being activated.

這個漏洞是在 Sonne Finance 為 Velodrome Finance 的 VELO 引入代幣市場後不久發生的，這是社區提案促使做出的決定。攻擊者利用兩天的時間鎖執行四筆交易，創建市場並分配抵押品。時間鎖是在預定時間（在本例中為啟動後兩天）自動執行交易的智慧合約。

Response and Impact

反應和影響

Sonne Finance's developers responded swiftly, mitigating the damage and suspending all markets on the Optimism blockchain. The protocol's markets on the Base blockchain remained operational, as the exploit specifically targeted the Optimism version of the platform. The incident has had a severe impact on the value of SONNE, which has plummeted by 60% to 2.5 cents, reaching its lowest value in over a year. This decline has reduced the token's market cap to $20 million, despite the developers' efforts to prevent the theft of an additional $6.5 million upon discovering the attack.

Sonne Finance 的開發人員迅速做出反應，減輕了損失並暫停了 Optimism 區塊鏈上的所有市場。該協議在基礎區塊鏈上的市場仍然運行，因為漏洞專門針對該平台的 Optimism 版本。該事件對SONNE的價值造成了嚴重影響，其價值暴跌60%至2.5美分，達到一年多以來的最低值。儘管開發人員在發現攻擊後努力防止另外 650 萬美元被盜，但這種下跌已使該代幣的市值降至 2,000 萬美元。

Stolen Funds and Bounty Offer

被盜資金和賞金提議

Sonne Finance has stated that it is actively pursuing the recovery of the stolen funds and has offered a bounty to the attacker in exchange for their return. However, the attacker has already transferred a significant portion of the loot, approximately $7.8 million worth of cryptocurrencies, to a new wallet address, suggesting a lack of willingness to negotiate.

Sonne Finance 表示，正在積極追回被盜資金，並向攻擊者提供賞金以換取他們的歸還。然而，攻擊者已經將大部分贓物（價值約 780 萬美元的加密貨幣）轉移到新的錢包地址，這表明攻擊者缺乏談判意願。

Security Concerns and Community Reaction

安全問題和社區反應

The exploit has sparked concerns about the security vulnerabilities of decentralized lending protocols and the risks associated with adopting forked versions of existing platforms. Some members of the crypto community have criticized Sonne Finance for relying on Compound v2 despite its known security flaws, with one individual speculating that the exploit may have been a premeditated backdoor.

該漏洞引發了人們對去中心化借貸協議的安全漏洞以及採用現有平台的分叉版本相關風險的擔憂。儘管存在已知的安全缺陷，加密貨幣社群中的一些成員仍批評 Sonne Finance 依賴Compound v2，其中一人推測該漏洞可能是有預謀的後門。

Conclusion

結論

The $20 million exploit targeting Sonne Finance serves as a reminder of the ongoing security challenges faced by decentralized lending protocols. As the industry continues to evolve, protocols must prioritize robust security measures and transparent practices to safeguard user funds. The investigation into this incident is ongoing, and it remains to be seen whether the stolen funds will be recovered and the attacker apprehended.

針對 Sonne Finance 的價值 2000 萬美元的漏洞提醒人們，去中心化借貸協議面臨持續的安全挑戰。隨著產業的不斷發展，協議必須優先考慮強有力的安全措施和透明的做法，以保護用戶資金。對此事件的調查仍在進行中，被盜資金是否會被追回以及攻擊者是否會被逮捕還有待觀察。