Protocol Due Diligence: [Sonne Finance]

# Protocol Due Diligence: [Sonne Finance] Sonne Finance is a lending and borrowing protocol built on the Optimism network and derived from the Compound V2. The main changes include the substitution of native ETH tokens with wrapped ETH and the utilization of block timestamps, rather than the quantity of blocks, for the computation of APYs. The protocol was successfully deployed on September 28, 2022, and has growth steadilty to 50m TVL. ## Overview + Links - **Site**: https://sonne.finance/ - **Twitter**: https://twitter.com/SonneFinance - **Team**: Core members include: Atakan, Gathon & Amaterasu. The team has worked on multiple DeFi projects, mainly on Fantom. Atakan is publicly known, primarily for his Fantom-themed “Intro to DeFi” youtube channel. - **OP grant proposal**: https://gov.optimism.io/t/draft-2-gf-phase-1-proposal-sonne-finance/4779 - **Docs**: https://docs.sonne.finance/ - **TVL and dashboard**: https://defillama.com/protocol/sonne-finance ## Audits and Due Diligence Disclosures A first audit is scheduled for Q2 2023, with $50k secured by selling discounted sSONNE. The code include minor diff from Compound V2. More details can be found in the "Audit Reports / Key Findings" section. ## Funds Management - **Is the protocol delegating the funds to another protocol/s?** No - **Do we have a due diligence document for those protocols?** N/A - **How will we monitor any changes in the funds’ delegation?** N/A ## Rug-ability **Multi-sig:** Yes, via SAFE wallet: [0x784b82a27029c9e114b521abcc39d02b3d1deaf2](https://app.safe.global/home?safe=oeth%3A0x784B82a27029C9E114b521abcC39D02B3D1DEAf2) **Number of Multi-sig signers / threshold:** 5 signers, 3 team members, 0xValJohn (Yearn) and Justin Bebis (Rreaper farms), threshold 3/5. - Gathon: [0xFb59Ce8986943163F14C590755b29dB2998F2322](https://optimistic.etherscan.io/address/0xFb59Ce8986943163F14C590755b29dB2998F2322) - Atakan: [0xD3e24C782b0c684782dCd294602638A05bdF1A7C](https://optimistic.etherscan.io/address/0xD3e24C782b0c684782dCd294602638A05bdF1A7C) - Amaretsu: [0xB58Ee267704ec4529e1B1f17B81Db73279DC4821](https://optimistic.etherscan.io/address/0xB58Ee267704ec4529e1B1f17B81Db73279DC4821) - 0xValJohn: [0x0FB44352bcfe4c5A53a64Dd0faD9a41184A1D609](https://optimistic.etherscan.io/address/0x0FB44352bcfe4c5A53a64Dd0faD9a41184A1D609) - Justin Bebis: [0xbeb15caee71001d82F430E4deda80e16dDf438Db](https://optimistic.etherscan.io/address/0xbeb15caee71001d82F430E4deda80e16dDf438Db) **Upgradable Contracts:** Yes. The Comptroller is implemented as an upgradeable proxy. The Unitroller proxies all logic to the Comptroller implementation, but storage values are set on the Unitroller. See [OpenZeppelin audit on Compound Unitroller](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/#unitroller-and-comptroller), Sonne uses the same implementation. Admin that can upgrade is contract [TimelockController](https://optimistic.etherscan.io/address/0x37ff10390f22fabdc2137e428a6e6965960d60b6#code). A common use case is to position this [TimelockController](https://docs.openzeppelin.com/contracts/4.x/api/governance#timelock) as the owner of a smart contract, with a multisig or a DAO as the sole proposer. Minimal time lock delay is 48 hours. TimelockController roles: - **TIMELOCK_ADMIN_ROLE**: [TimelockController contract it self](https://optimistic.etherscan.io/address/0x37ff10390f22fabdc2137e428a6e6965960d60b6) - **PROPOUSER_ROLE**: [multisig contract](https://optimistic.etherscan.io/address/0x784b82a27029c9e114b521abcc39d02b3d1deaf2) - **EXECUTOR_ROLE**: anyone can execute **Decentralization:** Centralized, multisig has controller ownership. Msig is distributing revenue and bribes on a weekly basis. ## Misc Risks [SONNE token distribution](https://docs.sonne.finance/tokenomics/distribution): - 60% Rewards+Bribes (Community) - 19% Protocol Growth - 12% Core Team (3 months cliff/2-year linear vest) - 3.5% Liquidity Generation Event(LGE) Participants - 3% Community Airdrops - 2.5% Initial Liquidity Token distribution is highly oriented to the community, but all actions are limited only to multisig. ### Audit Reports / Key Findings The team has [raised $50k from selling discounted sSONNE](https://twitter.com/SonneFinance/status/1637782395331002371). They intend on having a code4rena hybrid audit/bug bounty program. **Minimal code changes, compared to original [Compound V2](https://github.com/compound-finance/compound-protocol/tree/master/contracts)**: - [CToken](https://www.diffchecker.com/bXxKg3mH/) - change uint to uint256 and formatting changes - [CTokenInterface](https://www.diffchecker.com/TUlDtnhu/) - the same - [CErc20Immutable](https://www.diffchecker.com/u5EfGd7H/) - the same - [Unicomptroller](https://www.diffchecker.com/Z71dJWVP/) - the same - [Comptroller](https://www.diffchecker.com/g6tWdoaL/) - change uint to uint256 and formatting changes - [ComptrollerStorage](https://www.diffchecker.com/iiYJisIj/) - change uint to uint256 and formatting changes - [ErrorReporter](https://www.diffchecker.com/PBGEssCh/) - the same - [ExiponentalNoError](https://www.diffchecker.com/lSpIB5Xy/) - the same - [Comp](https://www.diffchecker.com/x5gRzgjX/) - change uint to uint256 and formatting changes - IntrestRateModel - the same - PriceOracle - the same - Unitroller - the same **Meaningful changes, compared to original [Compound V2](https://github.com/compound-finance/compound-protocol/tree/master/contracts)**: - [JumpRateModel](https://www.diffchecker.com/GhHIHyye/) - Sonne uses custom V4 model with updatable `blocksPerYear` variable. Using [SafeMath with Solidity v0.8.10](https://optimistic.etherscan.io/address/0xbbbd75383f6a61d5eb5b43e94e6372df6f7f13c6#code#F2#L16), probably left from copying code. - Sonne uses [ChainlinkPriceOracle](https://optimistic.etherscan.io/address/0x90c28b6ecfb7312d361756711055665598a3f125#code) for price while Compound uses [UniswapAnchoredView](https://etherscan.io/address/0x50ce56A3239671Ab62f185704Caedf626352741e#code). There is no verification of data returned from Chainlink. Only verification is that [the price is not zero](https://optimistic.etherscan.io/address/0x90c28b6ecfb7312d361756711055665598a3f125#code#F10#L80) but the data could be [stale because is no verification of timestamp nor roundId](https://consensys.net/diligence/audits/2021/09/fei-protocol-v2-phase-1/#chainlinkoraclewrapper---latestrounddata-might-return-stale-results). - Unitroller admin is OZ [TimelockController](https://optimistic.etherscan.io/address/0x37ff10390f22fabdc2137e428a6e6965960d60b6#code) istead of Compound Timelock. Check privileged admin Comptroller calls: https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/#privileged-roles ### Anything else Sonne Finance has the same logic and interface as Compound V2. This enables integration with minimal changes to the existing generic lender strategy for comp v2 in the production: https://etherscan.io/address/0x0e25a9218cca241245722dda13089e4080bd6a25#code There is a possibility to [stake](https://docs.sonne.finance/tokenomics/staking-and-revenue-sharing) reward SONNE token and earn protocol revenue. It can be staked as`uSONNE` and earn USDC, VELO. Another option is to stake as `sSONNE` to earn SONNE and VELO. Reward tokens are shared with stakers on a weekly basis. **Unstaking has 1 week delay.** # Path to Prod ## Strategy Details - **Description:** Sonne generic leverage strategy will deposit one of the collateral assets and earn supply rewards in a given asset and SONNE token. Also, use that asset as collateral and borrow the base asset. The strategy will then re-deposit that base asset back into Sonne Finance in order to farm the SONNE rewards given to lenders and borrowers. Additional rewards given in the SONNE token will be sold for want token on Velodrome. The Sonne strategy is applicable for vaults: WETH, WBTC, USDC, DAI, sUSD and OP. - **Strategy current APR:** Data on date 16.02.2023: - WETH: supply APY is 3,01% and rewards APY in $SONNE is 0,49%. - WBTC: supply APY is 3,87% and rewards APY in $SONNE is 0,55%. - USDC: supply APY is 1,06% and rewards APY in $SONNE is 0,48%. - DAI: supply APY is 2,20% and rewards APY in $SONNE is 0,70%. - sUSD: supply APY is 2,07% and rewards APY in $SONNE is 0,57%. - OP: supply APY is 2,25% and rewards APY in $SONNE is 0,86%. - **Does Strategy delegate assets?:** No - **Target Prod Vault:** 0.4.5 - **BaseStrategy Version #:** 0.4.5 - **Target Prod Vault Version #:** 0.4.5 ## Monitoring and Alerting Tenderly alerts to committe group have been set-up: https://dashboard.tenderly.co/yearn/sonne-finance/alerts/rules ![](https://i.imgur.com/VzgthKw.png) ![](https://i.imgur.com/sG4PdCc.png) ## Testing Plan ### Ape.tax - **Will Ape.tax be used?:** Yes - **Will Ape.tax vault be same version # as prod vault?:** Yes - **What conditions are needed to graduate? (e.g. number of harvest cycles, min funds, etc):** Deposit, withdraw, profitable harvest ## Prod Deployment Plan - **Suggested position in withdrawQueue?:** Middle or front - **Does strategy have any deposit/withdraw fees?:** No - **Suggested debtRatio?:** start with 10% - **Suggested max debtRatio to scale to?:** up to 30%, pending audit ## Emergency Plan - **Shutdown Plan:** Withdraw from Sonne, claim and sell the rewards, return want token to vault. - **Things to know:** - **Scripts / steps needed:** - **Is it safe to...** - call EmergencyShutdown - remove from withdrawQueue - call revoke and then harvest ## References Slides from Sonne Finance: ![](https://media.discordapp.net/attachments/1073646988463194205/1074651206229708941/unknown.png?width=1086&height=611) ![](https://media.discordapp.net/attachments/1073646988463194205/1074651244221714492/unknown.png?width=1086&height=611) ![](https://media.discordapp.net/attachments/1073646988463194205/1074651273518923786/unknown.png?width=1086&height=611) ![](https://i.imgur.com/lq6tPij.jpg)