价值 2000 万美元的 Sonne Finance DeFi 黑客事件：漏洞和利用被揭开

一名经验丰富的加密攻击者利用 Sonne Finance 的 VELO 与 Optimism 网络的集成，在两天内从该公司损失了约 2000 万美元。通过操纵协议中的“c 因子”，攻击者利用舍入误差以最少的抵押品借入大量资金。这次成功的黑客攻击凸显了去中心化金融环境中彻底的代码审计和强大的安全措施的重要性。

Unraveling the Staggering $20 Million Sonne Finance Hack: A DeFi Odyssey of Vulnerability and Exploitation

揭秘价值 2000 万美元的 Sonne 金融黑客事件：漏洞与利用的 DeFi 之旅

In the annals of decentralized finance (DeFi), the recent hack of Sonne Finance stands as a sobering reminder of the potential pitfalls lurking within the burgeoning realm of blockchain technology. A cunning attacker, exploiting a complex vulnerability, managed to siphon approximately $20 million from the company's coffers, casting a shadow over the industry's security landscape.

在去中心化金融（DeFi）的编年史中，Sonne Finance 最近的黑客事件清醒地提醒人们，区块链技术新兴领域中潜藏着潜在的陷阱。狡猾的攻击者利用一个复杂的漏洞，成功从公司金库中窃取了约 2000 万美元，给行业安全格局蒙上了阴影。

The Path to Compromise: A Multi-Layered Attack

妥协之路：多层攻击

The attack played out over several days, with the attacker meticulously targeting the backdoor of Sonne Finance's integration with the Optimism network. This integration, designed to enable VELO transactions on the network, had culminated in a series of transactions orchestrated through the company's multi-signature (multi-sig) wallet.

这次攻击持续了几天，攻击者精心瞄准了 Sonne Finance 与 Optimism 网络集成的后门。这种集成旨在实现网络上的 VELO 交易，最终通过公司的多重签名 (multi-sig) 钱包精心策划了一系列交易。

The multi-sig wallet, however, featured a built-in security measure: a two-day time lock. This delay was intended to provide an additional layer of protection by ensuring that transactions would not be executed immediately.

然而，多重签名钱包具有内置的安全措施：两天的时间锁定。这种延迟的目的是通过确保交易不会立即执行来提供额外的保护层。

A Stealthy Maneuver: Exploiting the "c-Factor"

秘密行动：利用“c 因素”

With the two-day lock period nearing its end, the attacker made a seemingly innocuous move: they transferred a minuscule amount of VELO (0.400000001 wei) to mint a mere 2 wei. This transaction, however, became the catalyst for the subsequent exploit.

随着两天的锁定期即将结束，攻击者做出了一个看似无害的举动：他们转移了微量的 VELO（0.400000001 wei），仅铸造了 2 wei。然而，这笔交易成为了后续利用的催化剂。

Unraveling the System's Imbalance

解决系统的不平衡问题

The newly minted soVELO, a derivative token, borrowed a significant amount (35,469,150 VELO) from the AMM liquidity pool. However, surprisingly, this transfer did not result in the minting of additional soVELO tokens, creating a significant imbalance. The total liquidity in the system surged, while the total supply of soVELO remained unchanged at a mere 2 wei.

新铸造的衍生代币 soVELO 从 AMM 流动性池借入了大量资金（35,469,150 VELO）。然而，令人惊讶的是，这种转移并没有导致额外的 soVELO 代币的铸造，从而造成了严重的不平衡。系统总流动性激增，而soVELO的总供应量维持在2wei不变。

Leveraging this imbalance, the attacker skillfully exploited a rounding error in the division calculations. This error allowed them to borrow a staggering 265 wei of Wrapped Ethereum (WETH) with just two wei of soVELO as collateral.

利用这种不平衡，攻击者巧妙地利用了除法计算中的舍入误差。这个错误让他们仅用 2 wei 的 soVELO 作为抵押品就借出了惊人的 265 wei 的 Wrapped Ethereum (WETH)。

A Cascade of Drained Assets

一系列资产被耗尽

The attacker's exploit did not end there. They continued to manipulate the system, draining assets from various sources. The stolen assets included a substantial amount of VELO, WETH, USDC, WBTC, wstETH, and USDT.

攻击者的利用并没有就此结束。他们继续操纵系统，从各种来源榨取资产。被盗资产包括大量 VELO、WETH、USDC、WBTC、wstETH 和 USDT。

A Wake-Up Call for DeFi Security

为 DeFi 安全敲响警钟

The Sonne Finance hack exposes a fundamental flaw in the DeFi ecosystem: the need for rigorous code auditing and robust failsafe mechanisms to protect digital assets. The success of the attack, stemming from a seemingly minor rounding error, underscores the importance of thorough security measures.

Sonne Finance 黑客事件暴露了 DeFi 生态系统的一个根本缺陷：需要严格的代码审计和强大的故障安全机制来保护数字资产。此次攻击的成功源于看似微小的舍入误差，凸显了彻底安全措施的重要性。

Organizations operating in the DeFi space must prioritize the implementation of stringent security protocols, including frequent code auditing, real-time monitoring, and comprehensive risk assessments. Only by embracing a proactive approach to security can the industry mitigate the risks and ensure the long-term viability of DeFi.

在 DeFi 领域运营的组织必须优先考虑实施严格的安全协议，包括频繁的代码审计、实时监控和全面的风险评估。只有采取积极主动的安全措施，行业才能降低风险并确保 DeFi 的长期生存能力。