DeFi
Major lending protocol hit by $20 million hack; Bitcoin DeFi tool loses $4.3 million
In a series of alarming incidents, two prominent decentralized financiers (Challenge), Sonne Finance and ALEX Lab, were targets of sophisticated hacks, resulting in a combined loss of $24.3 million in cryptocurrencies.
Sonne Finance halted operations after a $20 million exploit, while ALEX Lab lost $4.3 million due to a suspected private key compromise. The two platforms are now engaged in a race to recover their stolen assets and prevent future breaches.
Sonne Finance: $20 million heist
Lending protocol Sonne Finance was forced to suspend operations after suffering a hack that drained $20 million worth of cryptocurrencies from the market.
The attack, which targeted Sonne Finance’s USD Coin (USDC) and Wrapped Ether (WETH) contracts, was detected on May 14 by Web3 Cyvers security company.
Sonne Finance announced the suspension of all markets on Optimism (P.O.) blockchain to mitigate further damage. In partnership with Cyvers, the protocol is actively investigating the breach and exploring options to recover the stolen funds, including negotiating a bug bounty with the hacker. ‘
However, blockchain investigator PeckShield reported that the hacker had already moved a substantial portion of the loot ($7.8 million) to a new location. wallet address.
The hacker then traded 59 Wrapped BTC (WBTC) for approximately 1,185 Ether (ETH) and 183,000 Dai (DAI), indicating the intention to use a privacy protocol such as Tornado Cash to obscure the transaction trail.
Exploit Details
According to incident analysis Per Certik, the attack exploited a known bug in Sonne’s Compound v2 forks via a donation attack, manipulating the platform’s exchange rates by donating large amounts of cryptocurrency.
This manipulation caused the system to overestimate its collateral, allowing the hacker to siphon off millions. Block Explorer data showed that the attacker transferred millions of BIKEETH, USDC following manipulation, subsequently converting them into $8 million in Bitcoin and Ether.
The SONNE token has since fallen by 60%, significantly reducing its market capitalization to $20 million, although developers managed to prevent further rise. $6.5 million to be siphoned off once the attack has been identified.
ALEX Lab: $4.3 million compromise
Simultaneously, ALEX Lab, a Bitcoin Challenge tool, was drained of over $4.3 million in various tokens due to suspected private key compromise. Security researchers at CertiK revealed that the attackers likely obtained a private key controlling ALEX’s XLink bridge, a service facilitating token transfers between different blockchains.
We have observed a suspicious transaction affecting @ALEXLabBTC
Early evidence suggests possible private key compromise.
Deployer upgrades 0xb3955302E58FFFdf2da247E999Cd9755f652b13b to suspicious implementation.
In total, approximately $4.3 million in assets have… pic.twitter.com/02kiw2dFrm
– CertiK Alert (@CertiKAlert) May 14, 2024
The breach resulted in the loss of over $300,000 worth of Bitcoin, or $3.3 million. stable coinsand $75,000 in Sugar Kingdom Tokens (SKO).
ALEX developers confirmed the hack and claimed to know the identity of the attacker, offering a 10% bounty for the return of 90% of the stolen funds. Major Exchanges have since frozen funds associated with the hacker to prevent further misuse.
The recent hacks of Sonne Finance and ALEX Lab highlight the ongoing security challenges facing DeFi platforms.
As these platforms work to recover stolen assets and improve their security frameworks, the incidents are a stark reminder of the vulnerabilities inherent in the rapidly evolving DeFi landscape.