Soneta

Introduction

Soneta is an official fork of Liquity v2 deployed on the Sonic network. Its core mission is to let users deposit collateral and mint an over‑collateralised USD‑pegged stable‑coin called ONE. Key protocol roles mirror the original Liquity design:

• Borrowers: Lock SONIC‑native assets (e.g., Wrapped OS) to open Trove vaults and mint ONE. They can tune their loan‑to‑value (LTV) and interest‑rate parameters to suit personal risk appetite.
• Stability‑Pool Stakers: Stake ONE in the Stability Pool to absorb liquidations, earning liquidation gains and a share of protocol fees.
• Governance LPs: Another share of protocol revenue is streamed to a ONE liquidity‑provider pool, letting long‑term supporters earn yield.

ONE is always redeemable for $1 worth of collateral, giving arbitrageurs a hard‑backed peg mechanism.

Scope of the Engagement

Three Sigma executed one focused audit on Soneta’s smart‑contract suite between 19 May 2025 – 22 May 2025.

The review covered 506 non‑comment, non‑blank lines of Solidity spread across price‑feeds, token wrappers, zappers, and core lending logic.

• Auditors: 3
• Effort: 2.4 person‑weeks

The primary objectives were to:

• validate business‑logic correctness for minting, redemption and liquidation flows;
• stress‑test oracle integrations, wrapping/unwrapping pathways, and flash‑loan helpers;
• surface optimisation opportunities that reduce gas cost without compromising security.

Challenges in Securing Over‑Collateralised Stable‑Coin Protocols

Oracle & Pricing Pitfalls

Stable‑coin systems live and die by safe collateral valuation.

• Exchange‑rate blind spots: Rebasing LSTs whose rate drifts from 1:1 create borrowing power errors if feeds ignore the LST‑to‑underlying ratio (cf. Soneta C‑02).
• Cross‑asset conversions: Multi‑hop feeds (LBTC → BTC → USD) need consistent 18‑decimal normalisation to avoid $1‑looks‑like‑$0.01 mistakes (H‑05).

Decimal & Wrapper Mismatches

Protocols supporting non‑18‑decimal assets must marshal amounts correctly:

• Truncation dust: Poor scaling in wrap/unwrap paths silently burns value or reverts (M‑04, L‑01).
• Approval/allowance confusion: Approving wrapped tokens to a DEX that expects the underlying causes hard DoS (M‑07).

Flash‑Loan & Liquidation Edge Cases

Improperly parameterised flash‑loan helpers can brick leverage workflows, while mis‑tuned gas‑compensation caps may leave low‑value positions unliquidated (C‑01).

Results and Findings

Key Critical Issues

Collateral‑gas cap disincentivises liquidations of low‑value troves

• Description: Liquidators received the lesser of 0.5 % collateral or 2 units. On Sonic, where 1 WOS ≈ $0.15, the 2‑unit cap reduced rewards to pennies, leaving risky troves untouched.
• Resolution: Removed the 2‑unit ceiling and increased ETH_GAS_COMPENSATION. Liquidators now earn the full 0.5 % of collateral, restoring economic incentive and keeping the system solvent.

Oracle ignores LST ↔ underlying exchange‑rate

• Description: Price feeds for rebasing LSTs (e.g., wOS) reported only the underlying S/USD price, letting attackers deposit de‑pegged tokens and over‑borrow.
• Resolution: Introduced composite oracles that multiply the underlying USD price by the on‑chain LST : underlying rate, with dual‑feed fallback logic across all LST collaterals.

Notable High‑Severity Issues

Improper oracle blend enables arbitrage & over‑borrowing

• Description: fetchPrice()/fetchRedemptionPrice() used a single feed, blind to market vs. canonical divergence for rebasing collateral, opening peg‑manipulation vectors.
• Resolution: Oracle module now takes the lower (borrows) or higher (redemptions) of canonical and DEX prices within a configurable deviation threshold.

Misplaced braces skip wrap logic in _transferCollateralInside

• Description: A stray brace bypassed the wrapping branch, so standardized tokens never reached the zapper, breaking leverage flows.
• Resolution: Brace relocated; wrapper path executes correctly and is covered by a regression test.

Unhandled convertToAssets() revert could freeze the protocol

• Description: A failed exchange‑rate call reverted the entire price‑feed update, halting borrows, redemptions, and liquidations.
• Resolution: Wrapped call in try/catch, added gas‑guard, and wired emergency‑shutdown fallback to lastGoodPrice.

Wrong spender in zapper constructor caused wrap DoS

• Description: Unlimited allowance was granted to BorrowerOperations instead of the wrapper contract, making wrap() revert.
• Resolution: Approval now targets collToken (the wrapper); constructor logic audited for similar slips.

LBTC feed returned BP price, not USD price

• Description: LBTCPriceFeed reported LBTC/BTC but never multiplied by BTC/USD, misleading the protocol into valuing LBTC at ≈ $1.
• Resolution: Added BTC/USD feed multiplication and normalised to 18‑decimals; deployment script patched to use the corrected feed.

In conclusion

Impact of the Audit

The engagement eradicated two zero‑day blockers, closing off every known route to systemic insolvency. It simultaneously strengthened peg defence by introducing a composite oracle system that shields the protocol from LST de‑pegs and LBTC mis‑quotes. All wrap/unwrap, flash‑loan and leverage workflows now pass integration tests across assets with non‑18‑decimal precision, and a redesigned debt‑cap check gives governance an accurate, on‑chain risk gauge. With these improvements in place, Soneta entered public beta carrying a clean security bill and a fully transparent remediation record that bolsters community trust.

Three Sigma’s Value

Our tailored approach to auditing provided Soneta with actionable insights and long‑term security solutions. We focused on more than just identifying vulnerabilities, our methodology emphasized implementing best practices to ensure the protocol’s resilience in a competitive and rapidly evolving ecosystem. By addressing key risks and optimizing functionality, we contributed directly to Soneta’s success in creating a safe and efficient decentralized stable‑coin and borrowing environment. Our commitment to collaboration and thoroughness has helped strengthen their security framework and foster trust within their user base.

We specialize in Liquity v2‑fork audits. If your project is building on the Liquity v2 codebase, or adapting its mechanics to a new network, let us harden it before launch. Contact us to discuss securing your fork and giving your users total peace of mind.