Addressing and Mitigating the Sonne Finance Exploit and Enhancing Protocol Security

DAO Resolution to Address and Mitigate the Recent Exploit and Enhance Security Measures for Sonne Finance

Timeline of Events

• Sonne Finance: Accepted as a groundbreaking and important DeFi protocol.

Recipient of OP Foundation Grant: Sonne Finance awarded grant in "RetroPGF Round 2" for DeFi contributions.

• Expansion to Base: Successfully expanded its operations to the Base chain, which shows growth and adaptability.

• ** Radiant Capital Exploit**: Just a week after the introduction of native USDC markets, Radiant Capital had an analogous exploit on Arbitrum markets, that resulted in a loss of $ 4.5 million and a suspension of its markets in January 2024.

• Audit and Findings Sonne Finance contracted an audit to yAudit[1] in May 2023. The following findings came out of this audit:

• ** Lax protection against Hundred Finance attack vector**: the audit revealed that Sonne Finance did not have clear and consistent mitigations in place against the attack that led to the Hundred Finance hack, i.e. having an empty market allowing to manipulate share price. There are some instances identified in the audit where a newly created Sonne market is susceptible to the same attack vector.

• Seed Round: Sonne Finance had also completed a seed round of funding, as suggested on their website, to afford the audit.

• ** Sonne Finance Exploit:** In this exploit on the 14th of May 2024, to the tune of $20 million, Sonne Finance had been hacked and the protocol had been paused across all Optimism markets. An attacker exploited a vulnerability introduced due to the inclusion of token markets for Velodrome Finance VELO token.

Resolution

The DAO finds the following:

1. Sonne Finance is a next-gen, DeFi protocol of innovation.

2. Grant Recipient: Sonne Finance received a grant from the OP Foundation in the "RetroPGF Round 2".

3. Expansion: It has successfully grown to the Base chain, thus proving its growth potential.

4. Audit: Engaged an audit in May 2023, which surfaced some really critical vulnerabilities, with one being not having clear protection against the Hundred Finance attack vector. It found that there wasn't a set of clear and consistent mitigations in place against the attack that allowed for the Hundred Finance hack. The attack was related to an empty market allowing for share price manipulation. The audit identified areas where newly created Sonne markets were likely susceptible to this attack.

5. Seed Round: We did a seed round with users to pay for the audit.

6. Sonne Finance Exploit: This saw a $20M hack on May 14, 2024, due to a flaw in the addition of the VELO token markets.

BE IT RESOLVED BY THE DAO THAT:

1. ** Recovery Efforts **: Sonne Finance should try to recover the money that has been lost by paying a bounty to the hacker and engaging in negotiations; however, the maximum bounty to the hacker shall not exceed 10% of the amount stolen.

2. Daily Accounting: Present a full accounting of DeFi losses to the community. The status of funds recovery and withdrawals will be done every business day for the next 30 days, or until all funds are recovered, or until such time the DAO votes otherwise, whichever comes sooner.

3. User Compensation: In the event that the money is not recovered, Sonne Finance incurs the responsibility for compensating the users.

4. Collaboration with Law Enforcement: Work with law enforcement to recover funds if full recovery is not made, less a bounty, and hold responsible the attackers who used the exploit.

5. ** Assure Users**: Go the extra mile to assure users that the funds are safe on the Base chain.

6. Security Measures: All shall be done to help recover user funds and to ensure that the platform continues to grow and remains reliable, e.g., -burn an initial amount of tokens to prevent the accidental opening of some critical protocol bug.

• Create a well-defined and consistent process for the deployment of new markets to reduce the potential for share price manipulation.

7. Condemn Hacker: The DAO repudiates and condemns in the strongest possible terms the actions taken by the exploiter(s) to steal protocol funds, which is illegal, unethical, and immoral activity.