On May 14, at approximately 10:30 pm UTC, Web3 security firm Cyvers identified a cyberattack targeting Sonne Finance’s USD Coin (USDC) and Wrapped Ether (WETH) contracts. By the time Sonne Finance detected the breach 25 minutes later, the hacker had already made off with $20 million in WETH, Velo (VELO), soVELO, and Wrapped USDC (USDC.e).

In response, Sonne Finance paused all market activities on the Optimism network and collaborated with Cyvers to investigate the incident further. The protocol is considering various strategies to recover the stolen funds, including offering a bug bounty to the hacker. Typically, such negotiations involve the hacker returning most of the stolen assets in exchange for keeping around 10% as a reward for identifying security flaws.

However, the hacker appears uninterested in negotiating. According to blockchain investigator PeckShield, the perpetrator has already transferred a significant portion of the stolen assets, approximately $7.8 million, to a new wallet. The hacker then exchanged 59 WBTC for about 1,185 Ether and 183,000 Dai, indicating a possible plan to launder the funds through a privacy protocol like Tornado Cash.

Sonne Finance’s preliminary investigation suggests that the attack exploited a known vulnerability in Sonne’s Compound v2 forks, often referred to as a donation attack. A community member, PoorBabyCorn, criticized Sonne Finance for using Compound v2 despite the known risks, hinting at possible negligence or worse.

In a related incident, BlockTower Capital, a major crypto institutional investment firm, was also targeted and partially drained by a similar exploit. With $1.7 billion in assets under management, BlockTower has engaged blockchain forensic analysts to trace the stolen funds and understand the breach. As of now, the funds have not been recovered, and the hacker remains at large.

This isn't the first hit for BlockTower; in February 2023, they lost approximately $1.5 million in a $2 million exploit involving the multichain exchange aggregator Dexible. Most of the stolen funds in that incident belonged to large investors.

The ongoing investigations by Sonne Finance and BlockTower highlight the persistent vulnerabilities and challenges in securing DeFi protocols against sophisticated cyberattacks.