The lending protocol Sonne Finance recently experienced a security breach that resulted in the theft of $20 million in cryptocurrencies, including WETH and USDC. The attack was detected by Web3 security firm Cyvers, who initially reported only $3 million stolen, but by the time Sonne Finance became aware of the situation, the total amount taken had reached $20 million. Sonne Finance paused all markets on Optimism but assured users that markets on Base were safe. They also announced a partnership with Cyvers to investigate the breach further.
The exploit on Sonne Finance occurred through a known donation attack on Compound v2 forks on the Optimism chain. Despite measures in place to prevent such incidents, a recent proposal to integrate VELO markets into Sonne resulted in the hacker being able to exploit the protocol for $20 million. However, $6.5 million was saved by adding $100 worth of VELO to the markets. Sonne Finance is currently working to recover the stolen funds and has offered a bug bounty for their return, with a promise not to pursue the issue further if the funds are returned. However, it appears unlikely that the hacker will comply, as they have already moved a portion of the stolen funds to a new wallet address.
After moving some of the stolen funds to a new address, the hacker then exchanged WBTC for Ether and Dai, indicating a possible intent to launder the funds through a privacy protocol like Tornado Cash. Tornado Cash is a cryptocurrency tumbler or mixer that obscures the path of crypto transactions, making it difficult to trace the original source of funds. While originally created for privacy purposes, hackers often use these services to launder stolen funds through decentralized exchange platforms. Tornado Cash has been linked to various illicit activities, including instances where hackers have used the platform to launder millions of dollars in stolen cryptocurrency.
The adoption of privacy tools like Tornado Cash has raised concerns within the crypto community, with some arguing against the persecution of developers solely for creating such applications. Although crypto-related frauds and scams are on the decline, users need to be educated on how to protect themselves from crypto crimes. The United Nations sanctions monitors have noted instances where Tornado Cash was used for money laundering, leading to sanctions being imposed on the platform in 2022. Despite the controversy surrounding privacy tools in the crypto space, it is essential for users to be aware of the risks and take necessary precautions to safeguard their funds.
