Security

Sonne Finance Lending Protocol Drained $20m Exploiting Compound Fork Flaw

A known Compound V2 fork precision loss vulnerability was weaponized via flash loan, enabling exchange rate manipulation to drain $20M in assets.
December 3, 20253 min

A white and metallic technological component, partially submerged in dark water, is visibly covered in a layer of frost and ice. From a central aperture within the device, a luminous blue liquid, interspersed with bubbles and crystalline fragments, erupts dynamically
The image displays a close-up of metallic structures integrated with translucent blue fluid channels. The composition highlights advanced engineering and material science

Briefing

Sonne Finance, a lending protocol on Optimism, suffered a catastrophic $20 million loss from a sophisticated flash loan attack that exploited a known vulnerability in its Compound V2 fork codebase. The primary consequence was the immediate depletion of WETH, VELO, and USDC.e from the protocol’s lending pools, forcing the team to pause all markets on the Optimism chain to prevent further bleeding. The root cause was a precision loss flaw in the exchangeRate calculation, which was manipulated by a direct token “donation” to a newly deployed, empty market. The attack successfully drained approximately $20 million, marking it as the largest exploit to date on the Optimism chain.

A close-up shot details a sophisticated, high-tech mechanism composed of gleaming silver and deep royal blue components. Intricate metallic panels interlock with blue structural elements, while textured blue spheres and angular crystalline fragments are integrated throughout

Context

The protocol’s reliance on a Compound V2 fork introduced a significant, pre-existing attack surface. This specific precision loss vulnerability, often termed the “donation attack,” was well-documented, having been previously exploited in other Compound forks like Hundred Finance and Onyx Protocol. The risk was amplified by the protocol’s use of multiple, permissionless transactions for new market deployment, creating a critical race condition window for the attacker to execute the exploit.

A complex, translucent blue apparatus is prominently displayed, heavily encrusted with white crystalline frost, suggesting an advanced cooling mechanism. Within this icy framework, a sleek metallic component, resembling a precision tool or a specialized hardware element, is integrated

Analysis

The core system compromised was the smart contract logic governing the exchangeRate calculation within the newly created soVELO market. The attacker first took a flash loan of VELO and then “donated” the tokens directly to the empty contract, which inflated the totalCash but did not increase the totalSupply of the soToken. This action dramatically skewed the exchange rate due to a known rounding error in the underlying Compound V2 code. With the exchange rate manipulated, the attacker used a minimal amount of soVELO (as little as 1 wei) to redeem the entire donated balance and then drain other markets, effectively turning a minor collateral position into a multi-million dollar withdrawal.

A close-up view showcases a high-performance computational unit, featuring sleek metallic chassis elements bolted to a transparent, liquid-filled enclosure. Inside, a vibrant blue fluid circulates, exhibiting condensation on the exterior surface, indicative of active thermal regulation

Parameters

  • Total Loss → $20,000,000 USD (The estimated total value of WETH, VELO, and USDC.e drained from the protocol).
  • Vulnerability Class → Precision Loss (A known arithmetic flaw in Compound V2 forks that allows exchange rate manipulation).
  • Affected Chain → Optimism (The exploit was executed on the Optimism deployment, as the Base deployment had restricted execution permissions).
  • Exploited Collateral → 1 wei (The minimal amount of soVELO token collateral required to redeem millions in underlying assets due to the manipulated exchange rate).

The image showcases a detailed close-up of a precision-engineered mechanical component, featuring a central metallic shaft surrounded by multiple concentric rings and blue structural elements. The intricate design highlights advanced manufacturing and material science, with brushed metal textures and dark inner mechanisms

Outlook

Users are advised to immediately withdraw all assets from any Compound V2 fork protocols that have not formally verified a patch for this specific new market deployment logic. The immediate contagion risk is high for any lending protocol that utilized a similar multi-step, permissionless transaction process for adding new markets. This incident will establish a new security best practice mandating that all critical administrative operations must be batched into a single, atomic transaction or have the executor role strictly restricted to a trusted entity to prevent the exploitation of timelock-induced race conditions.

A detailed 3D render showcases a futuristic blue transparent X-shaped processing chamber, actively filled with illuminated white granular particles, flanked by metallic cylindrical components. The intricate structure highlights a complex operational core, possibly a decentralized processing unit

Verdict

This $20 million breach confirms that legacy smart contract architecture, even when audited, remains a systemic risk, demanding an immediate industry-wide shift toward atomic transaction batching for all critical administrative functions.

Lending protocol exploit, flash loan attack, Compound V2 fork, precision loss vulnerability, exchange rate manipulation, Optimism chain, smart contract risk, asset drain, donation attack, multisig execution, timelock bypass, collateral factor, decentralized finance, on-chain forensics, token exchange rate, liquidity pool risk, new market deployment Signal Acquired from → certik.com

Micro Crypto News Feeds

flash loan attack

Definition ∞ A flash loan attack is a type of exploit that leverages the uncollateralized, instantaneous nature of flash loans in decentralized finance.

precision loss vulnerability

Definition ∞ A precision loss vulnerability is a flaw in a smart contract or software that results from improper handling of numerical calculations, particularly with floating-point numbers or large integers.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exchange rate manipulation

Definition ∞ Exchange rate manipulation refers to intentional actions taken to alter the value of one currency relative to another.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

Tags:

Tags: