The DeFi ecosystem suffered another significant blow on May 14, 2024, as Sonne Finance, a decentralized lending protocol operating on the Optimism network, was exploited for approximately $20 million. The attack unfolded in two stages, first draining $3 million from USDC markets and then extracting an additional $17 million from WETH contracts. By the time the Sonne Finance team detected the breach and paused all markets, the damage had already reached catastrophic proportions.
The Exploit Mechanics
The attacker leveraged a well-documented vulnerability known as the “donation attack,” a flaw inherent in Compound v2-forked lending protocols. In this type of exploit, an attacker manipulates the collateral factors within a lending pool to artificially inflate the value of their deposited collateral. This manipulation allows the attacker to borrow substantially more funds than their actual deposit should permit, effectively draining the protocol of its liquidity.
The timing of the attack was particularly sophisticated. Sonne Finance had recently passed a governance proposal to integrate VELO markets, with critical transactions scheduled through a multi-sig wallet protected by a two-day timelock. The attacker anticipated the exact moment when these transactions would execute and positioned four transactions to fire immediately as the timelock expired, setting up the markets for exploitation. Once the collateral factor increase transaction was confirmed, the attacker exploited the inflated parameters to siphon roughly $20 million in assets, including USDC, WETH, and VELO tokens.
Affected Systems
The exploit specifically targeted Sonne Finance’s lending markets on the Optimism Layer 2 network. The protocol, which offers lending, borrowing, and earning opportunities on both Optimism and Base chains, saw its USDC and WETH markets completely drained. The native SONNE token experienced an immediate 55 to 60 percent plunge following news of the exploit, falling to approximately 2.5 cents per token. The platform’s total market capitalization contracted to roughly $4.25 million in the aftermath.
Overnight Finance’s USD+ stablecoin on Optimism was also caught in the crossfire, facing potential losses of up to 74 percent for users who did not exit their positions in time. The cascading impact across interconnected DeFi protocols highlighted the systemic risks that persist within composability-driven financial systems.
The Mitigation Strategy
The Sonne Finance team responded within 25 minutes of detecting the breach, immediately pausing all Optimism markets to prevent further drainage. The team sent an on-chain message to the exploiter, offering a 10 percent bounty, approximately $2 million, in exchange for the return of 90 percent of the stolen funds. Meanwhile, contributors from the Security Alliance, known as Seal911, took decisive action by swiftly adding a minimal amount of VELO to the compromised markets to prevent additional extraction. This rapid response managed to salvage approximately $6.5 million in assets.
Lessons Learned
The Sonne Finance exploit underscores several critical lessons for the DeFi industry. First, protocols built on forked codebases must conduct thorough, specialized audits that account for the unique risks introduced by their specific modifications. The donation attack vector was known in the context of Compound v2 forks, yet it was not adequately addressed in Sonne Finance’s implementation. Second, timelock mechanisms, while designed to enhance governance security, can create predictable windows of vulnerability that sophisticated attackers can exploit with precise timing. Protocols must consider the security implications of their timelock configurations and implement additional safeguards around timelock expiration events.
User Action Required
Users who had funds deposited in Sonne Finance’s Optimism markets should monitor official communications from the team regarding recovery efforts and any potential reimbursement plans. Bitcoin traded at approximately $66,267 and Ethereum at $3,037 at the time of the exploit, reflecting a broader market rally driven by softer-than-expected CPI data. The incident serves as a stark reminder that even during bullish market conditions, protocol-level risks remain a persistent threat to DeFi users. Always verify that the protocols you use have undergone comprehensive security audits, and never concentrate your entire portfolio in a single platform.
Disclaimer: The information presented in this article is for educational and informational purposes only and does not constitute financial advice. Always conduct your own research and consult with a qualified financial advisor before making investment decisions.
20M gone and its the same donation attack vector we’ve seen on three other compound v2 forks this year alone. at some point the template itself becomes the liability
exactly. the real question is why sonne didn’t patch this after the exact same exploit hit miles protocol back in march. zero lessons learned
compound v2 should be retired as a template at this point. every fork inherits the same donation attack surface and governance is too slow to patch
compound v2 forks getting exploited every other month at this point. governance passes integration proposals without audits and this is what happens every single time
paused markets after 20M already drained. what exactly does that accomplish, the attacker was already bridging to ethereum by then
the attacker bridged to ethereum within 20 minutes. by the time the team woke up funds were already being laundered through tornado
bridging to ethereum within 20 minutes is not a speed record to be proud of. the attacker had the exit route planned before the first exploit transaction
velo market integration was the attack vector. governance passed the proposal without a full security review and the attacker exploited the window