DeFi protocols Sonne Finance and ALEX Lab lose over $24 million in separate hacks
Sonne Finance exploited
Decentralized liquidity provider Sonne Finance fell victim to a $20 million exploit on its Optimism network-based USDC and Wrapped Ethereum (WETH) contracts, according to blockchain security firm Cyvers.
In a May 15 statement, the DeFi protocol confirmed the incident and attributed the exploit to a donation attack on its Compound v2 forks. It stated:
“We avoided the issue in the past, by adding the markets with 0% collateral factors, adding collateral and burn them, only then increase the c-factors according to the proposals.”
However, an integration attempt of VELO into the Optimism market allowed the attacker to exploit the protocol unnoticed, resulting in the loss.
Meanwhile, security experts prevented an additional $6.5 million theft by injecting $100 VELO as collateral into the soVELO pool.
Sonne Finance has expressed readiness to offer a bounty to the attacker as efforts to recover the funds continue.
Following the theft, the price of SONNE, a digital asset connected to the project, fell by more than 60% to $0.02617 as of press time.
Bitcoin DeFi project lose over $4 million
ALEX Lab, a Bitcoin DeFi application, lost over $4 million in various tokens to a hacking incident earlier today.
Blockchain security firm CertiK reported that the attackers likely gained access to the private key controlling ALEX’s XLink bridge. This service enables users to transfer tokens across different blockchains.
The hacker successfully moved approximately $300,000 worth of BTC, $3.3 million in stablecoins, and $75,000 of Sugar Kingdom tokens.
ALEX Lab developers confirmed the hack and asserted that they had identified the attacker. The team also stated:
“A significant amount of the funds associated with the hacker has been frozen by major exchanges, preventing further misuse.”
Nevertheless, the project offered a 10% bounty to the hacker, adding that:
“ALEX assures that upon compliance, there will be no further pursuit or law enforcement involvement. This offer stands until 18 May at 0800 UTC. The individual responsible should contact [email protected].”
