Security

Sonne Finance Lending Protocol Drained $20m Exploiting Compound Fork Flaw

A known Compound V2 fork precision loss vulnerability was weaponized via flash loan, enabling exchange rate manipulation to drain $20M in assets.
December 3, 20253 min

A detailed 3D render showcases a futuristic blue transparent X-shaped processing chamber, actively filled with illuminated white granular particles, flanked by metallic cylindrical components. The intricate structure highlights a complex operational core, possibly a decentralized processing unit
Two futuristic cylindrical white and silver modules, adorned with blue translucent crystalline elements, are depicted in close proximity, revealing complex internal metallic pin arrays. The intricate design of these modules, poised for precise connection, illustrates advanced cross-chain interoperability and protocol integration vital for the next generation of decentralized finance DeFi

Briefing

Sonne Finance, a lending protocol on Optimism, suffered a catastrophic $20 million loss from a sophisticated flash loan attack that exploited a known vulnerability in its Compound V2 fork codebase. The primary consequence was the immediate depletion of WETH, VELO, and USDC.e from the protocol’s lending pools, forcing the team to pause all markets on the Optimism chain to prevent further bleeding. The root cause was a precision loss flaw in the exchangeRate calculation, which was manipulated by a direct token “donation” to a newly deployed, empty market. The attack successfully drained approximately $20 million, marking it as the largest exploit to date on the Optimism chain.

A detailed close-up reveals a complex array of blue metallic circuitry and interconnected components, featuring numerous data conduits and intricate processing units. The shallow depth of field highlights the foreground's dense technological architecture against a blurred white background

Context

The protocol’s reliance on a Compound V2 fork introduced a significant, pre-existing attack surface. This specific precision loss vulnerability, often termed the “donation attack,” was well-documented, having been previously exploited in other Compound forks like Hundred Finance and Onyx Protocol. The risk was amplified by the protocol’s use of multiple, permissionless transactions for new market deployment, creating a critical race condition window for the attacker to execute the exploit.

A high-resolution, close-up image showcases a section of an advanced device, featuring a prominent transparent, arched cover exhibiting internal blue light and water droplets or condensation. The surrounding structure comprises polished metallic and dark matte components, suggesting intricate internal mechanisms and precision engineering

Analysis

The core system compromised was the smart contract logic governing the exchangeRate calculation within the newly created soVELO market. The attacker first took a flash loan of VELO and then “donated” the tokens directly to the empty contract, which inflated the totalCash but did not increase the totalSupply of the soToken. This action dramatically skewed the exchange rate due to a known rounding error in the underlying Compound V2 code. With the exchange rate manipulated, the attacker used a minimal amount of soVELO (as little as 1 wei) to redeem the entire donated balance and then drain other markets, effectively turning a minor collateral position into a multi-million dollar withdrawal.

An intricate mechanical assembly is showcased, featuring polished metallic shafts, precise white circular components, and translucent blue elements. These components are depicted in a partially disassembled state, revealing their internal workings and interconnected design, emphasizing functional precision

Parameters

  • Total Loss → $20,000,000 USD (The estimated total value of WETH, VELO, and USDC.e drained from the protocol).
  • Vulnerability Class → Precision Loss (A known arithmetic flaw in Compound V2 forks that allows exchange rate manipulation).
  • Affected Chain → Optimism (The exploit was executed on the Optimism deployment, as the Base deployment had restricted execution permissions).
  • Exploited Collateral → 1 wei (The minimal amount of soVELO token collateral required to redeem millions in underlying assets due to the manipulated exchange rate).

A close-up view presents a futuristic blue metallic device, showcasing intricate mechanical and illuminated transparent components. A prominent central spherical element, glowing with intense blue light, connects to the main structure via clear tubes, suggesting dynamic internal processes

Outlook

Users are advised to immediately withdraw all assets from any Compound V2 fork protocols that have not formally verified a patch for this specific new market deployment logic. The immediate contagion risk is high for any lending protocol that utilized a similar multi-step, permissionless transaction process for adding new markets. This incident will establish a new security best practice mandating that all critical administrative operations must be batched into a single, atomic transaction or have the executor role strictly restricted to a trusted entity to prevent the exploitation of timelock-induced race conditions.

A highly detailed, abstract render showcases a futuristic technological device with a clear, spherical front element. This orb is surrounded by segmented white plating and numerous angular, translucent blue components that glow with internal light

Verdict

This $20 million breach confirms that legacy smart contract architecture, even when audited, remains a systemic risk, demanding an immediate industry-wide shift toward atomic transaction batching for all critical administrative functions.

Lending protocol exploit, flash loan attack, Compound V2 fork, precision loss vulnerability, exchange rate manipulation, Optimism chain, smart contract risk, asset drain, donation attack, multisig execution, timelock bypass, collateral factor, decentralized finance, on-chain forensics, token exchange rate, liquidity pool risk, new market deployment Signal Acquired from → certik.com

Micro Crypto News Feeds

flash loan attack

Definition ∞ A flash loan attack is a type of exploit that leverages the uncollateralized, instantaneous nature of flash loans in decentralized finance.

precision loss vulnerability

Definition ∞ A precision loss vulnerability is a flaw in a smart contract or software that results from improper handling of numerical calculations, particularly with floating-point numbers or large integers.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

protocol

Definition ∞ A protocol is a set of rules governing data exchange or communication between systems.

exchange rate manipulation

Definition ∞ Exchange rate manipulation refers to intentional actions taken to alter the value of one currency relative to another.

exploit

Definition ∞ An exploit refers to the malicious utilization of a security flaw or vulnerability within a protocol, smart contract, or application to gain unauthorized access, steal assets, or disrupt operations.

exchange rate

Definition ∞ An exchange rate represents the value of one currency or asset in terms of another.

atomic transaction

Definition ∞ An atomic transaction is a sequence of operations that either completely finishes or completely fails, leaving no partial results.

transaction

Definition ∞ A transaction is a record of the movement of digital assets or the execution of a smart contract on a blockchain.

Tags:

Tags: