Security

Sonne Finance Lending Protocol Drained $20m Exploiting Compound Fork Flaw

A known Compound V2 fork precision loss vulnerability was weaponized via flash loan, enabling exchange rate manipulation to drain $20M in assets.
December 3, 20253 min

A detailed, close-up view shows a light blue, textured surface forming a deep, circular indentation. A spherical object resembling a full moon floats centrally above this void, symbolizing a digital asset experiencing significant price action or 'mooning' within the DeFi landscape
A high-resolution, close-up image showcases a section of an advanced device, featuring a prominent transparent, arched cover exhibiting internal blue light and water droplets or condensation. The surrounding structure comprises polished metallic and dark matte components, suggesting intricate internal mechanisms and precision engineering

Briefing

Sonne Finance, a lending protocol on Optimism, suffered a catastrophic $20 million loss from a sophisticated flash loan attack that exploited a known vulnerability in its Compound V2 fork codebase. The primary consequence was the immediate depletion of WETH, VELO, and USDC.e from the protocol’s lending pools, forcing the team to pause all markets on the Optimism chain to prevent further bleeding. The root cause was a precision loss flaw in the exchangeRate calculation, which was manipulated by a direct token “donation” to a newly deployed, empty market. The attack successfully drained approximately $20 million, marking it as the largest exploit to date on the Optimism chain.

A close-up view reveals a highly detailed, futuristic mechanical assembly, predominantly in silver and deep blue hues, featuring intricate gears, precision components, and connecting elements. The composition highlights the sophisticated engineering of an internal system, with metallic textures and polished surfaces reflecting light

Context

The protocol’s reliance on a Compound V2 fork introduced a significant, pre-existing attack surface. This specific precision loss vulnerability, often termed the “donation attack,” was well-documented, having been previously exploited in other Compound forks like Hundred Finance and Onyx Protocol. The risk was amplified by the protocol’s use of multiple, permissionless transactions for new market deployment, creating a critical race condition window for the attacker to execute the exploit.

A detailed close-up reveals a complex system featuring textured blue pipes interwoven with shiny silver mechanical components and black data cables. The metallic structures exhibit intricate lattice patterns and various interconnected blocks, suggesting a sophisticated internal mechanism

Analysis

The core system compromised was the smart contract logic governing the exchangeRate calculation within the newly created soVELO market. The attacker first took a flash loan of VELO and then “donated” the tokens directly to the empty contract, which inflated the totalCash but did not increase the totalSupply of the soToken. This action dramatically skewed the exchange rate due to a known rounding error in the underlying Compound V2 code. With the exchange rate manipulated, the attacker used a minimal amount of soVELO (as little as 1 wei) to redeem the entire donated balance and then drain other markets, effectively turning a minor collateral position into a multi-million dollar withdrawal.

An array of interconnected deep blue hexagonal modules is prominently featured, each intricately detailed with metallic components and a central circular element. Numerous blue cables link these modules, forming a complex, distributed structure against a soft white background

Parameters

  • Total Loss → $20,000,000 USD (The estimated total value of WETH, VELO, and USDC.e drained from the protocol).
  • Vulnerability Class → Precision Loss (A known arithmetic flaw in Compound V2 forks that allows exchange rate manipulation).
  • Affected Chain → Optimism (The exploit was executed on the Optimism deployment, as the Base deployment had restricted execution permissions).
  • Exploited Collateral → 1 wei (The minimal amount of soVELO token collateral required to redeem millions in underlying assets due to the manipulated exchange rate).

A sophisticated mechanical assembly is prominently displayed, featuring a central circular element composed of concentric transparent blue layers, framed by metallic rings and a precision gear-like component. This intricate mechanism is firmly integrated into a deeply textured, porous dark blue surface, while a smooth white arm extends towards it from the left

Outlook

Users are advised to immediately withdraw all assets from any Compound V2 fork protocols that have not formally verified a patch for this specific new market deployment logic. The immediate contagion risk is high for any lending protocol that utilized a similar multi-step, permissionless transaction process for adding new markets. This incident will establish a new security best practice mandating that all critical administrative operations must be batched into a single, atomic transaction or have the executor role strictly restricted to a trusted entity to prevent the exploitation of timelock-induced race conditions.

A sophisticated, open-casing mechanical apparatus, predominantly deep blue and brushed silver, reveals its intricate internal workings. At its core, a prominent circular module bears the distinct Ethereum logo, surrounded by precision-machined components and an array of interconnected wiring

Verdict

This $20 million breach confirms that legacy smart contract architecture, even when audited, remains a systemic risk, demanding an immediate industry-wide shift toward atomic transaction batching for all critical administrative functions.

Lending protocol exploit, flash loan attack, Compound V2 fork, precision loss vulnerability, exchange rate manipulation, Optimism chain, smart contract risk, asset drain, donation attack, multisig execution, timelock bypass, collateral factor, decentralized finance, on-chain forensics, token exchange rate, liquidity pool risk, new market deployment Signal Acquired from → certik.com

Micro Crypto News Feeds

flash loan attack

Definition ∞ A flash loan attack is a type of exploit that leverages the uncollateralized, instantaneous nature of flash loans in decentralized finance.

precision loss vulnerability

Definition ∞ A precision loss vulnerability is a flaw in a smart contract or software that results from improper handling of numerical calculations, particularly with floating-point numbers or large integers.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exchange rate manipulation

Definition ∞ Exchange rate manipulation refers to intentional actions taken to alter the value of one currency relative to another.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

Tags:

Tags: