Full Report
Compound and AAVE both have a bug that allows the entire protocol to be drained IF there's empty market open. Apparently, this has destroyed a large amount of forks. Sonne was aware of this issue and had a mitigation strategy. First, add a timelock to add a market. Second, adds the funds. Finally, have the timelock open up the market for use. If followed in this order, it would be totally fine. Sonne queued all of the multisig operations as seperate operations in the timelock. Since there was no order that had to be followed, this was a problem. Anybody could come execute these in any order they wanted. The attacker executed the TWO timelock operations without adding funds in the middle of it. With this, the Compound/AAVE bug could be exploited once again, as before. What should have been done better? Governance actions that must happen in a certain order must have restrictions on the ordering. For Open Zeppelin's timelock, scheduleBatch() can be used. Overall, interesting hack for 20M!
Analysis Summary
# Incident Report: Sonne Finance $20M Governance Exploitation
## Executive Summary
Sonne Finance, a decentralized lending protocol, was exploited for approximately $20 million due to a vulnerability in how scheduled governance actions were executed. While the protocol intended to patch a known Compound/Aave "empty market" bug by using a timelock to sequence market creation and funding, the lack of enforced ordering allowed an attacker to execute the transactions out of sequence. This re-exposed the protocol to the empty market bug, leading to the total drain of the newly opened markets.
## Incident Details
- **Discovery Date:** May 14/15, 2024
- **Incident Date:** May 14/15, 2024
- **Affected Organization:** Sonne Finance
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Distributed
## Timeline of Events
### Initial Access
- **Date/Time:** May 2024 (exact timestamp per blockchain logs)
- **Vector:** Exploitation of Governance Logic / Timelock Vulnerability.
- **Details:** The Sonne multisig queued several transactions in a timelock to launch new markets. These included creating the market and adding initial liquidity.
### Lateral Movement
- **N/A:** The attack was primarily an atomic or sequential smart contract interaction rather than lateral movement through a traditional IT network.
### Data Exfiltration/Impact
- **Loss:** $20,000,000 USD equivalent in various crypto assets.
- **Method:** The attacker monitored the timelock and observed that the "add market" and "add funds" operations were queued as independent, unordered actions.
### Detection & Response
- **Detection:** Detected via on-chain monitoring and sudden liquidity drops.
- **Response:** Post-incident analysis revealed the failure of the timelock's sequencing logic.
## Attack Methodology
- **Initial Access:** Observation of publicly queued timelock transactions.
- **Persistence:** Not applicable (exploit-based).
- **Privilege Escalation:** Exploiting the "executor" permission of the timelock, which allowed any user to trigger matured transactions.
- **Defense Evasion:** Executing transactions immediately upon timelock maturation.
- **Credential Access:** N/A.
- **Discovery:** Identifying that the timelock lacked a `scheduleBatch` or dependency requirement between transactions.
- **Lateral Movement:** N/A.
- **Collection:** Draining of the decentralized protocol reserves.
- **Exfiltration:** Transfer of assets to attacker-controlled Ethereum/Optimism addresses.
- **Impact:** Re-introduction of the "Empty Market Bug" by executing the "Open Market" transaction *before* the "Add Funds/Collateral" transaction.
## Impact Assessment
- **Financial:** Lost $20M in protocol TVL (Total Value Locked).
- **Data Breach:** None (Public blockchain transaction data only).
- **Operational:** Protocol functionality suspended or severely impaired for the affected markets.
- **Reputational:** Significant loss of user trust; highlights risks in fork-based DeFi protocols.
## Indicators of Compromise
- **Network indicators:** hXXps[:]//optimistic[.]etherscan[.]io/ (Review transactions related to Sonne Timelock).
- **Behavioral indicators:** Execution of governance timelock transactions in an order inconsistent with the protocol's intended deployment strategy.
## Response Actions
- **Containment:** Pause of protocol functions where possible.
- **Eradication:** Identification of the logic flaw in the timelock implementation.
- **Recovery:** Ongoing investigation into asset recovery and potential compensation plans.
## Lessons Learned
- **Key Takeaways:** Even if a protocol has a mitigation strategy for a known bug, the implementation of that strategy (the governance layer) can introduce new vulnerabilities.
- **What could have been done better:** The multisig should have utilized atomic batching for transactions that are functionally dependent on each other to prevent sandwiching or reordering by third parties.
## Recommendations
- **Transaction Batching:** Use `scheduleBatch()` in OpenZeppelin-style Timelocks to ensure multiple transactions are executed together or not at all.
- **Enforced Sequencing:** If transactions must be separate, implement state checks (e.g., Transaction B cannot execute unless Transaction A's state is finalized).
- **Governance Audit:** Security audits must include the governance and timelock logic, not just the core financial smart contracts.