Sonne Finance Lending Protocol Drained $20m Exploiting Compound Fork Flaw → Security

A close-up view showcases a high-performance computational unit, featuring sleek metallic chassis elements bolted to a transparent, liquid-filled enclosure. Inside, a vibrant blue fluid circulates, exhibiting condensation on the exterior surface, indicative of active thermal regulation

$Two large, fractured pieces of a crystalline object are prominently displayed, one clear and one deep blue, resting on a white, snow-like terrain. The background is a soft, light blue, providing a minimalist and stark contrast to the central elements$

Briefing

Sonne Finance, a lending protocol on Optimism, suffered a catastrophic $20 million loss from a sophisticated flash loan attack that exploited a known vulnerability in its Compound V2 fork codebase. The primary consequence was the immediate depletion of WETH, VELO, and USDC.e from the protocol’s lending pools, forcing the team to pause all markets on the Optimism chain to prevent further bleeding. The root cause was a precision loss flaw in the exchangeRate calculation, which was manipulated by a direct token “donation” to a newly deployed, empty market. The attack successfully drained approximately $20 million, marking it as the largest exploit to date on the Optimism chain.

The image showcases a detailed view of a sophisticated, blue-hued technological apparatus, featuring numerous interconnected metallic blocks, conduits, and bright blue electrical wires. A prominent central module with a dark, integrated circuit-like component is secured by visible screws, indicating a core processing unit

Context

The protocol’s reliance on a Compound V2 fork introduced a significant, pre-existing attack surface. This specific precision loss vulnerability, often termed the “donation attack,” was well-documented, having been previously exploited in other Compound forks like Hundred Finance and Onyx Protocol. The risk was amplified by the protocol’s use of multiple, permissionless transactions for new market deployment, creating a critical race condition window for the attacker to execute the exploit.

The image presents a close-up view of two abstract, smooth forms. A translucent, deep blue element, covered in small water droplets, gently rests against a soft, light grey, subtly contoured background

Analysis

The core system compromised was the smart contract logic governing the exchangeRate calculation within the newly created soVELO market. The attacker first took a flash loan of VELO and then “donated” the tokens directly to the empty contract, which inflated the totalCash but did not increase the totalSupply of the soToken. This action dramatically skewed the exchange rate due to a known rounding error in the underlying Compound V2 code. With the exchange rate manipulated, the attacker used a minimal amount of soVELO (as little as 1 wei) to redeem the entire donated balance and then drain other markets, effectively turning a minor collateral position into a multi-million dollar withdrawal.

The detailed composition showcases an open mechanical watch movement, its metallic components and precise gear train clearly visible. A substantial blue structure, adorned with intricate circuit-like patterns, connects to the watch, with a metallic arm extending into its core

Parameters

Total Loss → $20,000,000 USD (The estimated total value of WETH, VELO, and USDC.e drained from the protocol).
Vulnerability Class → Precision Loss (A known arithmetic flaw in Compound V2 forks that allows exchange rate manipulation).
Affected Chain → Optimism (The exploit was executed on the Optimism deployment, as the Base deployment had restricted execution permissions).
Exploited Collateral → 1 wei (The minimal amount of soVELO token collateral required to redeem millions in underlying assets due to the manipulated exchange rate).

A close-up shot details a sophisticated, high-tech mechanism composed of gleaming silver and deep royal blue components. Intricate metallic panels interlock with blue structural elements, while textured blue spheres and angular crystalline fragments are integrated throughout

Outlook

Users are advised to immediately withdraw all assets from any Compound V2 fork protocols that have not formally verified a patch for this specific new market deployment logic. The immediate contagion risk is high for any lending protocol that utilized a similar multi-step, permissionless transaction process for adding new markets. This incident will establish a new security best practice mandating that all critical administrative operations must be batched into a single, atomic transaction or have the executor role strictly restricted to a trusted entity to prevent the exploitation of timelock-induced race conditions.

A detailed close-up showcases a sophisticated mechanism, featuring a translucent, icy blue body with a textured surface, integrated with polished silver metallic shafts and rings. The foreground is sharply focused on these intricate components, while the background is softly blurred, emphasizing the engineering precision

Verdict

This $20 million breach confirms that legacy smart contract architecture, even when audited, remains a systemic risk, demanding an immediate industry-wide shift toward atomic transaction batching for all critical administrative functions.

Lending protocol exploit, flash loan attack, Compound V2 fork, precision loss vulnerability, exchange rate manipulation, Optimism chain, smart contract risk, asset drain, donation attack, multisig execution, timelock bypass, collateral factor, decentralized finance, on-chain forensics, token exchange rate, liquidity pool risk, new market deployment Signal Acquired from → certik.com