Preventing DeFi Exploits: A Case Study on the Sonne Finance Hack
Johnny Time
Founder @ Ginger Security | Blockchain Security Engineer and Web3 Security Educator. Learn more at: johnnytime.xyz
In the decentralized finance (DeFi) space, security remains a significant concern as high-profile hacks and exploits continue to occur. One such incident involved Sonne Finance, a fork of the Compound protocol, which lost over $20 million due to a vulnerability.
In this article, we will dive into the details of the Sonne Finance exploit, but not only that. We will demonstrate how to reproduce the attack on Binance Smart Chain and introduce Phalcon, a powerful tool designed to prevent such attacks in real time.
To see how we reproduced and blocked the hack in real life, watch the video below:
The Sonne Finance Exploit: A Detailed Breakdown
Sonne Finance, operating as a decentralized lending protocol on Binance Smart Chain, was built on the Compound protocol. The exploit that led to the loss of over $20 million exploited a specific vulnerability within the protocol.
The vulnerability allowed an attacker to manipulate the protocol’s underlying logic, enabling unauthorized withdrawals of funds. This was achieved by taking advantage of a flaw in how the protocol handled collateral and liquidity calculations.
The exploit was executed through a series of complex governance actions and transactions, which manipulated pool prices and collateral ratios, ultimately allowing the attacker to drain funds from the protocol. Read more about the technical details here.
Introducing Phalcon: A Real-Time Defense Mechanism
Phalcon is a powerful tool designed to prevent DeFi exploits like the one experienced by Sonne Finance. It operates by continuously monitoring transactions and identifying potential attacks before they are executed.
How Phalcon Works:
Attack Detection Engine: Phalcon uses an advanced detection engine that analyzes transaction patterns to identify suspicious activities. It stimulates transaction execution and tries to identify if the protocol is going to be exploited before the transaction is actually mined.
Safe Wallet Integration: The tool integrates with Safe Wallets, which are multi-signature wallets designed to secure funds. Phalcon allows preparing defense transactions using Safe modules.
Real-Time Protection: Phalcon operates in real-time, allowing it to detect and prevent exploits before they can cause significant harm.
Configuring Phalcon to Prevent the Sonne Finance Exploit
Now, we will replicate the environment in which the attack occurred. By deploying a clone of Sonne Finance’s vulnerable protocol on Binance Smart Chain, we will reproduce the attack and analyze its mechanics.
To demonstrate Phalcon’s effectiveness, we configured the tool in a way that would have prevented the Sonne Finance exploit.
Part 1: Setting Up the Environment
Deploying the Vulnerable Protocol:
For the demonstration, we’ve created a mock token (e.g., Wrapped ETH or any ERC-20 token) and added liquidity to simulate the market conditions.
Part 2: Reproducing the Hack
Understanding the Vulnerability:
Preparing the Exploit Contract:
We’ve created a contract that will execute the exploit. This contract will simulate the attack by interacting with the vulnerable protocol. The exploit contract is designed to trigger the rounding error by making a small donation and then exploiting the logical flaw.
Deploying the Exploit Contract:
Executing the Exploit:
Part 3: Configuring Phalcon
We logged into the Phalcon dashboard and prepared to monitor the vulnerable protocol:
We added the smart contracts we deployed (e.g., soWrappedETH market and Timelock contract) to Phalcon’s contract library so we can later on monitor the soWrappedETH contract, and send transactions to stop the market to the Timelock contract:
Creating Monitors:
We added a monitor for the soWrappedETH market. We configured it to watch for any borrow function invocations:
Then, we enabled Phalcon’s automated attack detection engine to filter for potential attacks:
Creating Actions:
We’ve set up actions that will trigger when an attack is detected. These actions involve pausing the protocol to prevent further exploitation.
We can integrate Phalcon with our Safe wallet which controls the Protocol Timelock contract. Phalcon will install a Safe Module to use this smart wallet to sign and execute transactions automatically. This will allow Phalcon to execute defense actions automatically when an attack is detected:
We’ve set up a strategy for front-running the attack by sending a pause transaction with a higher gas price of the original attack transaction:
Linking Monitors to Actions:
We linked the monitor we created for the soWrappedETH market to the action we just set up.
Funding the Phalcon Relayer EOA Account:
We deposited some BNB into the Phalcon Relay EOA account to cover the gas fees required to execute transactions on Binance Smart Chain.
Part 4: Testing the Defense Mechanism
Triggering the Attack, Once Again:
We executed the exploit contract again, just as you did in Part 2 (Hopefully it will fail this time ??). This time, Phalcom should detect the malicious transaction, and hopefully, block it:
Attack Was Blocked!
Phalcon detects the attack and automatically triggers the pause action on the soWrappedETH market, as you can see the exploit script failed and the attack was prevented:
We can confirm that the attack is blocked and that no funds are drained from the protocol, we can see the the revert reason is “borrow is paused” which essentially means that the market is paused:
Finalizing and Reviewing
We can always check the logs and transaction history in Phalcon to ensure everything works as expected.
The test that we performed in the video shows how Phalcon can be tailored to protect against similar vulnerabilities, offering DeFi protocols a robust defense mechanism.
Conclusion
Sonne Finance exploit serves as a reminder of the vulnerabilities that exist within DeFi protocols. By understanding the mechanics of such exploits and employing tools like Phalcon, developers and protocol founders can significantly reduce the risk of similar attacks.
Phalcon is an advanced tool that you can start using now to protect your users’ funds. Sign up to test the tool, and get a 7-day free trial and a $1,000 discount by using this link or a referral code “JohnnyTime”.
Principal Software Engineer
2 个月Hey, Johnny, what if the attacker sent his transaction using Flashbots?