Sonne Finance 遭受 2000 万美元的攻击，SONNE 代币崩溃 60%

Sonne Finance 是一种去中心化借贷协议，遭受了 2000 万美元的攻击，导致其 SONNE 代币下跌 60%。该攻击利用了该协议的Compound v2分叉中的漏洞，使黑客能够操纵市场并窃取各种代币，包括以太币、velo和稳定币。 Sonne Finance 暂停了 Optimism 的运营，但 Base 的市场并未受到影响，该协议正在努力追回被盗资金。

Sonne Finance Exploited for $20 Million, Native Token SONNE Plummets 60%

Sonne Finance被利用2000万美元，原生代币SONNE暴跌60%

May 15, 2024

2024 年 5 月 15 日

Initial Report

初步报告

Sonne Finance, a decentralized lending protocol operating on the Optimism and Base blockchains, has become the victim of a $20 million exploit that has caused its native SONNE token to plummet by a staggering 60%. The attack, executed on Wednesday, leveraged a vulnerability in the protocol's implementation of Compound v2 forks, allowing the perpetrator to manipulate markets and siphon off various tokens, including ether, velo, and stablecoins.

Sonne Finance 是一种在 Optimism 和 Base 区块链上运行的去中心化借贷协议，已成为 2000 万美元漏洞的受害者，导致其原生 SONNE 代币暴跌 60%。这次攻击于周三执行，利用了Compound v2分叉协议实施中的漏洞，使犯罪者能够操纵市场并窃取各种代币，包括以太币、velo和稳定币。

Exploit Details

漏洞利用详情

The attack unfolded as a "donation attack," whereby the perpetrator manipulated the exchange rate between two tokens by inflating the value of donated cryptocurrency. This deception misled the platform into believing it had more collateral than actually available, paving the way for the attacker to withdraw funds unhindered. Blockchain data indicates that the assailant successfully transferred millions of VELO, ether, and USD Coin (USDC) following the manipulation. The attacker subsequently converted $8 million of the stolen funds into bitcoin and ether, transferring them to a newly created wallet address in the early hours of the morning.

这次攻击以“捐赠攻击”的形式展开，攻击者通过抬高捐赠的加密货币的价值来操纵两种代币之间的汇率。这种欺骗行为误导平台相信其拥有的抵押品多于实际可用的抵押品，从而为攻击者不受阻碍地提取资金铺平了道路。区块链数据显示，攻击者在操纵后成功转移了数百万 VELO、以太币和美元硬币（USDC）。攻击者随后将 800 万美元被盗资金转换为比特币和以太币，并在凌晨将其转移到新创建的钱包地址。

Chronology of Events

事件年表

The exploit occurred shortly after Sonne Finance introduced token markets for Velodrome Finance's VELO, a decision prompted by a community proposal. The attacker capitalized on a two-day timelock to execute four transactions, creating markets and assigning collateral factors. Timelocks are smart contracts that automatically execute transactions at a predetermined time, in this case, two days after being activated.

该漏洞是在 Sonne Finance 为 Velodrome Finance 的 VELO 引入代币市场后不久发生的，这是社区提案促使做出的决定。攻击者利用两天的时间锁执行四笔交易，创建市场并分配抵押品。时间锁是在预定时间（在本例中为激活后两天）自动执行交易的智能合约。

Response and Impact

反应和影响

Sonne Finance's developers responded swiftly, mitigating the damage and suspending all markets on the Optimism blockchain. The protocol's markets on the Base blockchain remained operational, as the exploit specifically targeted the Optimism version of the platform. The incident has had a severe impact on the value of SONNE, which has plummeted by 60% to 2.5 cents, reaching its lowest value in over a year. This decline has reduced the token's market cap to $20 million, despite the developers' efforts to prevent the theft of an additional $6.5 million upon discovering the attack.

Sonne Finance 的开发商迅速做出反应，减轻了损失并暂停了 Optimism 区块链上的所有市场。该协议在基础区块链上的市场仍然运行，因为该漏洞专门针对该平台的 Optimism 版本。该事件对SONNE的价值造成了严重影响，其价值暴跌60%至2.5美分，达到一年多以来的最低值。尽管开发人员在发现攻击后努力防止另外 650 万美元被盗，但这种下跌已使该代币的市值降至 2000 万美元。

Stolen Funds and Bounty Offer

被盗资金和赏金提议

Sonne Finance has stated that it is actively pursuing the recovery of the stolen funds and has offered a bounty to the attacker in exchange for their return. However, the attacker has already transferred a significant portion of the loot, approximately $7.8 million worth of cryptocurrencies, to a new wallet address, suggesting a lack of willingness to negotiate.

Sonne Finance 表示，正在积极追回被盗资金，并向攻击者提供赏金以换取他们的归还。然而，攻击者已经将大部分赃物（价值约 780 万美元的加密货币）转移到新的钱包地址，这表明攻击者缺乏谈判意愿。

Security Concerns and Community Reaction

安全问题和社区反应

The exploit has sparked concerns about the security vulnerabilities of decentralized lending protocols and the risks associated with adopting forked versions of existing platforms. Some members of the crypto community have criticized Sonne Finance for relying on Compound v2 despite its known security flaws, with one individual speculating that the exploit may have been a premeditated backdoor.

该漏洞引发了人们对去中心化借贷协议的安全漏洞以及采用现有平台的分叉版本相关风险的担忧。尽管存在已知的安全缺陷，加密货币社区的一些成员仍批评 Sonne Finance 依赖Compound v2，其中一人推测该漏洞可能是有预谋的后门。

Conclusion

结论

The $20 million exploit targeting Sonne Finance serves as a reminder of the ongoing security challenges faced by decentralized lending protocols. As the industry continues to evolve, protocols must prioritize robust security measures and transparent practices to safeguard user funds. The investigation into this incident is ongoing, and it remains to be seen whether the stolen funds will be recovered and the attacker apprehended.

针对 Sonne Finance 的价值 2000 万美元的漏洞提醒人们，去中心化借贷协议面临着持续的安全挑战。随着行业的不断发展，协议必须优先考虑强有力的安全措施和透明的做法，以保护用户资金。对此事件的调查仍在进行中，被盗资金是否会被追回以及攻击者是否会被逮捕还有待观察。