Preventing DeFi Exploits: A Case Study on the Sonne Finance Hack

In the decentralized finance (DeFi) space, security remains a significant concern as high-profile hacks and exploits continue to occur. One such incident involved Sonne Finance, a fork of the Compound protocol, which lost over $20 million due to a vulnerability.

In this article, we will dive into the details of the Sonne Finance exploit, but not only that. We will demonstrate how to reproduce the attack on Binance Smart Chain and introduce Phalcon, a powerful tool designed to prevent such attacks in real time.

To see how we reproduced and blocked the hack in real life, watch the video below:

The Sonne Finance Exploit: A Detailed Breakdown

Sonne Finance, operating as a decentralized lending protocol on Binance Smart Chain, was built on the Compound protocol. The exploit that led to the loss of over $20 million exploited a specific vulnerability within the protocol.

The vulnerability allowed an attacker to manipulate the protocol’s underlying logic, enabling unauthorized withdrawals of funds. This was achieved by taking advantage of a flaw in how the protocol handled collateral and liquidity calculations.

The exploit was executed through a series of complex governance actions and transactions, which manipulated pool prices and collateral ratios, ultimately allowing the attacker to drain funds from the protocol. Read more about the technical details here.

Introducing Phalcon: A Real-Time Defense Mechanism

Phalcon is a powerful tool designed to prevent DeFi exploits like the one experienced by Sonne Finance. It operates by continuously monitoring transactions and identifying potential attacks before they are executed.

How Phalcon Works:

Attack Detection Engine: Phalcon uses an advanced detection engine that analyzes transaction patterns to identify suspicious activities. It stimulates transaction execution and tries to identify if the protocol is going to be exploited before the transaction is actually mined.

Safe Wallet Integration: The tool integrates with Safe Wallets, which are multi-signature wallets designed to secure funds. Phalcon allows preparing defense transactions using Safe modules.

Real-Time Protection: Phalcon operates in real-time, allowing it to detect and prevent exploits before they can cause significant harm.

Configuring Phalcon to Prevent the Sonne Finance Exploit

Now, we will replicate the environment in which the attack occurred. By deploying a clone of Sonne Finance’s vulnerable protocol on Binance Smart Chain, we will reproduce the attack and analyze its mechanics.

To demonstrate Phalcon’s effectiveness, we configured the tool in a way that would have prevented the Sonne Finance exploit.

Part 1: Setting Up the Environment

• We’ve prepared in advance a repository with the vulnerable protocol with Foundry.
• We created and funded a Metamask wallet and exported the private keys so we could use them to both deploy the protocol and hack it later.

Deploying the Vulnerable Protocol:

• We deployed the vulnerable protocol to BSC including all the relevant contracts such as CToken contracts, Unitroller (controller), and other essential components like the Timelock contract that is used to schedule and execute operations.

For the demonstration, we’ve created a mock token (e.g., Wrapped ETH or any ERC-20 token) and added liquidity to simulate the market conditions.

Part 2: Reproducing the Hack

Understanding the Vulnerability:

• The hack relies on a rounding error in the compound protocol, particularly when there’s an empty market.
• A donation attack can exploit this rounding error, leading to the draining of other pools.

Preparing the Exploit Contract:

We’ve created a contract that will execute the exploit. This contract will simulate the attack by interacting with the vulnerable protocol. The exploit contract is designed to trigger the rounding error by making a small donation and then exploiting the logical flaw.

Deploying the Exploit Contract:

• We deployed the exploit contract to Binance Smart Chain, and we configured it to target a specific vulnerable market.

Executing the Exploit:

• We are launching the exploit in order to see if we can drain the WETH Market successfully, we observed the results and confirm that the exploit successfully drains funds from the target market.

Part 3: Configuring Phalcon

We logged into the Phalcon dashboard and prepared to monitor the vulnerable protocol:

We added the smart contracts we deployed (e.g., soWrappedETH market and Timelock contract) to Phalcon’s contract library so we can later on monitor the soWrappedETH contract, and send transactions to stop the market to the Timelock contract:

Creating Monitors:

We added a monitor for the soWrappedETH market. We configured it to watch for any borrow function invocations:

Then, we enabled Phalcon’s automated attack detection engine to filter for potential attacks:

Creating Actions:

We’ve set up actions that will trigger when an attack is detected. These actions involve pausing the protocol to prevent further exploitation.

We can integrate Phalcon with our Safe wallet which controls the Protocol Timelock contract. Phalcon will install a Safe Module to use this smart wallet to sign and execute transactions automatically. This will allow Phalcon to execute defense actions automatically when an attack is detected:

We’ve set up a strategy for front-running the attack by sending a pause transaction with a higher gas price of the original attack transaction:

Linking Monitors to Actions:

We linked the monitor we created for the soWrappedETH market to the action we just set up.

Funding the Phalcon Relayer EOA Account:

We deposited some BNB into the Phalcon Relay EOA account to cover the gas fees required to execute transactions on Binance Smart Chain.

Part 4: Testing the Defense Mechanism

Triggering the Attack, Once Again:

We executed the exploit contract again, just as you did in Part 2 (Hopefully it will fail this time ??). This time, Phalcom should detect the malicious transaction, and hopefully, block it:

Attack Was Blocked!

Phalcon detects the attack and automatically triggers the pause action on the soWrappedETH market, as you can see the exploit script failed and the attack was prevented:

We can confirm that the attack is blocked and that no funds are drained from the protocol, we can see the the revert reason is “borrow is paused” which essentially means that the market is paused:

Finalizing and Reviewing

We can always check the logs and transaction history in Phalcon to ensure everything works as expected.

The test that we performed in the video shows how Phalcon can be tailored to protect against similar vulnerabilities, offering DeFi protocols a robust defense mechanism.

Conclusion

Sonne Finance exploit serves as a reminder of the vulnerabilities that exist within DeFi protocols. By understanding the mechanics of such exploits and employing tools like Phalcon, developers and protocol founders can significantly reduce the risk of similar attacks.

Phalcon is an advanced tool that you can start using now to protect your users’ funds. Sign up to test the tool, and get a 7-day free trial and a $1,000 discount by using this link or a referral code “JohnnyTime”.