Sonne Finance experienced a $20 million exploit after a hacker gained unauthorized access to sensitive financial data. The hacker made off with the funds and subsequently vanished.

Following a devastating hack that drained $20 million in cryptocurrencies, lending protocol Sonne Finance was forced to suspend operations. Around 10:30 pm UTC on May 14, security firm Cyvers detected an ongoing attack on Sonne Finance’s USD and Wrapped Ether (WETH) contracts, initially stealing just $3 in cryptocurrency. However, the protocol was not alerted until 25 minutes later, by which time the hackers had already made off with $20 million worth of WETH, Velo (VELO), soVELO, and Wrapped USDC (USDC.e).On May 15 at 12:11 a.m. UTC, Sonne Finance made a brief announcement on their platform, stating that all markets on Optimism had been temporarily halted and those on Base were safe. They promised to provide further updates in due course. Subsequently, the protocol collaborated with Cyvers to investigate the incident further.Three hours after their initial announcement, Sonne Finance elaborated on the situation in a press release. The attack exploited a known donation attack vulnerability on Compound v2 forks. The protocol had previously implemented measures to mitigate this issue, including reducing collateral factors, adding collateral, and burning tokens. However, a recent proposal to integrate VELO markets was approved with transactions scheduled on a multi-sig wallet with a 2-day timelock. The exploit occurred when the timelock expired, allowing the hacker to execute transactions for market creation and adding collateral factors.Sonne Finance estimated that the hacker had made off with $20 million, but managed to recover $6.5 million by adding $100 worth of VELO to the markets. The protocol is actively pursuing measures to recover the stolen funds and is considering offering a bug bounty for information leading to their return. Typically, a 10% reward would be offered for identifying security vulnerabilities. However, it appears unlikely that the hacker will comply with this offer, as blockchain investigator PeckShield tracked them transferring $7.8 million to a new wallet address.The hacker then swapped 59 WBTC for approximately 1,185 Ether and 183,000 Dai, hinting at their intention to launder the stolen funds through a privacy protocol like Tornado Cash.Tornado Cash stands as an open-source cryptocurrency tumbler, also known as a “crypto mixer.” Designed to obscure the origins of transactions, it has gained popularity among hackers seeking to launder stolen funds. Notably, over $77 million in assets were processed through Tornado Cash contracts in October 2023. While initially intended for legitimate purposes, its widespread use in illicit activities has led to regulatory scrutiny.The United Nations sanctions monitors have identified North Korea as a major user of Tornado Cash for laundering stolen cryptocurrency, with an estimated $147.5 million in illicit funds laundered through the platform. Many high-profile crypto hacks have also utilized Tornado Cash for money laundering purposes. This has prompted the US Treasury to impose sanctions on the platform in August 2022, leading to charges of money laundering and sanctions violations for its founders a year later.While opinions within the crypto community diverge regarding the use of privacy tools, there is a consensus against persecuting developers solely for creating such applications. Despite a decline in crypto-related frauds and scams, it remains crucial for users to be well-informed about how to safeguard themselves from digital asset crime.