June 14, 2024
A precision loss attack takes advantage of the deterministic nature of Solidity (the programming language behind Ethereum). A limitation of solidity is the fact that it does not natively support floating point arithmetic. Floating point arithmetic is contrasted by fixed point arithmetic – which solidity uses.
What happened to Sonne Finance? What is a precision loss attack? How were $20 million dollars lost? How were $6.5 million saved?
On May 14th 2024, Sonne Finance fell victim to a precision loss attack through a newly added liquidity pool. The attacker was able to steal ~$20mm, but thanks to the quick work of Fuzzland, the remaining $6.5mm was secured.
Fixed point arithmetic is more deterministic and predictable than floating point arithmetic however it introduces vulnerabilities specifically in the form of precision loss attacks.
The movie Office Space, and Super Man 3 both had plot points around stealing from corporations by taking fractions of a penny at a time which were rounding errors and hopefully (for the plot) wouldn’t be noticed until the attackers were rich. This is not dissimilar to a precision loss attack which takes advantage of unshown decimals in fixed point arithmetic.
In the case of a precision loss attack however, it is not fractions of a penny from millions of transactions, it is taking advantage of rounding errors in order to steal millions of dollars.
On May 14th, Sonne Finance lost around $20 million dollars to a precision loss attack on a newly added liquidity pool.
The liquidity pool had a known vulnerability originally found in Compound V2 contracts. A result of this vulnerability is that non-initialized liquidity pools can be exploited via a precision loss attack.
You can see the soVELO pool as one of the affected protocols in the above image.
The FuzzLand team immediately noticed the attack and our bot automatically attempted to copy the exploiter in order to secure the funds. Unfortunately our bot failed the initial attempt – prompting our engineers to manually look at the attack. At this point there was about $10 million dollars still in the pools.
Upon further investigation, we realized that the attacker was quite intelligent. The attacker held a soVELO position which would have to be liquidated in order for us to hijack the attack. The image above shows this.
With our better understanding of the attack, we found that we couldn’t hijack the attack, but, by adding about $100 worth of liquidity to the pool, we could stop the precision loss attack.
The swift and innovative response from Fuzzland demonstrates the importance of having a vigilant and proactive security team in the rapidly evolving world of decentralized finance. By understanding the intricacies of the precision loss attack and utilizing a mere $100 to halt the exploit, Fuzzland not only saved $6.5 million but also set a new standard for incident response in the DeFi space. This event underscores the need for continuous monitoring, quick decision-making, and a deep understanding of blockchain vulnerabilities to protect digital assets effectively.
The above image shows the alert that we received from our Blaz+ Alert security product. This real time monitoring and alerting infrastructure allowed us to act quickly and save millions of dollars.
If you’re concerned about the security of your funds and want to ensure the highest level of protection for your digital assets, get in touch with Fuzzland today. Our expertise in identifying and mitigating vulnerabilities can help safeguard your investments. Don’t wait until it’s too late—contact Fuzzland today and let us fortify your security.