At least $25M lost across three incidents in busy day for crypto hackers

Following a relatively quiet period, a trio of crypto hacks has hit the sector.

Over the past 24 hours, lending platform Sonne Finance lost $20 million to a well-known attack vector, the bridge to ‘Bitcoin Layer 2’ ALEXLab was drained for $4.3 million, and crypto investment firm BlockTower Capital was found to have been hacked for an undisclosed sum.

Sonne Finance hit via ’empty market’ bug

Sonne Finance was hacked on Ethereum L2 Optimism via the ‘empty market’ bug in new markets — in this case, soVELO.

The attack is ongoing and much bigger, an additional $17 million has been stolen and the total value loss is more than $20 million. @SonneFinance please take immediate action. https://t.co/k39W09J8Bd
— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) May 14, 2024

Read more: Compound Finance upgrade bug freezes $830M in crypto

Sonne uses forked code from Compound, one of the first decentralized finance (DeFi) lending protocols. ‘Forking,’ or reusing, code from established projects is a common practice in DeFi, as it’s often considered ‘battle tested’ and therefore safer than freshly written contracts.

Compound’s v2 code, however, contains a well-known vulnerability with new, empty markets. This introduces a potential rounding error that can be exploited to drain available borrow liquidity on the platform. Over the past year, the same hack has affected Onyx Protocol, Hundred Finance, and Midas Capital, totaling $10 million in losses.

Despite being aware of the issue, Sonne Finance’s post-mortem report explains that the hacker was able to create the markets “without us noticing,” due to the ‘permissionless’ nature of the functions on Optimism. Sonne’s other deployment, on Base, was not affected.

Although $20 million was lost, security researchers were able to save $6.5 million of remaining funds by depositing $100 worth of VELO tokens, making the exploit unworkable.

Suspicious transaction swipes $4.3M fom ALEXLab bridge

Hours before, audit firm Certik identified a ‘suspicious transaction’ in which $4.3 million was removed from the XLink bridge which connects the Bitcoin ‘layer two’ ALEXLab to the BNB Chain.

#CertiKInsight 🚨
We have seen a suspicious transaction affecting @ALEXLabBTC
Initial evidence points to a possible private key compromise.
Deployer of 0xb3955302E58FFFdf2da247E999Cd9755f652b13b upgrades to a suspicious implementation.
In total ~$4.3m worth of assets have… pic.twitter.com/02kiw2dFrm
— CertiK Alert (@CertiKAlert) May 14, 2024

Read more: Refund of $70M ‘address poisoning’ scam ongoing, over 50% returned

Styling itself as ‘Bitcoin DeFi,’ ALEXLab is a scaling solution for the Bitcoin network, which itself doesn’t support the smart contracts necessary for DeFi applications to run.

Certik states that the losses could be down to ‘a possible private key compromise,’ in which the deployer’s address was unexpectedly upgraded. The ALEXLab team claims to have identified the individual responsible and is proposing a 10% bounty for the return of funds.

BlockTower ‘main hedge fund’ hacked

Crypto investment firm BlockTower Capital was targeted by a hack on its ‘main hedge fund’ according to a Bloomberg report, published on Wednesday.

According to the article, BlockTower’s fund was partially drained for an undisclosed sum, citing “people familiar with the matter, who declined to be identified discussing sensitive information.”

The firm also lost $1.5 million when DeFi platform Dexible was hacked last year. Responding to the incident at the time, Dexible stated “these things happen.”

As the last 24 hours shows, they’re not wrong.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.

Source: https://protos.com/at-least-25m-lost-across-three-incidents-in-busy-day-for-crypto-hackers/