On May 14, 2024, Sonne Finance, a non-custodial decentralized lending protocol operating on the Optimism network, fell victim to a sophisticated exploit that drained approximately $20 million from its markets. The attack exploited a well-known vulnerability in Compound v2 forks, marking yet another chapter in the ongoing saga of DeFi security breaches that have plagued the sector since its inception.
The Exploit Mechanics
The attacker leveraged what security researchers call a “donation attack” — a known vulnerability pattern affecting protocols forked from Compound Finance’s v2 codebase. The mechanics of this exploit are deceptively elegant: by manipulating the collateral factors within a lending pool, the attacker was able to artificially inflate the apparent value of their deposited collateral, enabling them to borrow substantially more funds than their actual position warranted.
The critical twist in Sonne Finance’s case involved a timing misalignment. The protocol had recently passed a governance proposal to integrate VELO markets, with critical transactions scheduled on a multi-sig wallet governed by a two-day timelock. The attacker monitored the timelock and executed four transactions precisely when it expired, setting up the markets before triggering the collateral factor increase transaction. This precision timing allowed the exploit to succeed where simpler attempts might have failed.
With Bitcoin trading at approximately $61,550 and Ethereum around $2,880 at the time of the attack, the $20 million loss represented a significant blow to the Optimism-based protocol and its users who had trusted the platform with their assets.
Affected Systems
The exploit specifically targeted Sonne Finance’s markets on the Optimism Layer 2 network. Sonne Finance operates as a lending and borrowing protocol, similar to Compound and Aave, allowing users to supply assets as collateral and borrow against them. The protocol had been building a presence on Optimism as part of the broader DeFi expansion onto Layer 2 solutions.
The affected markets included various token pairs that had been configured through the VELO integration proposal. The attacker’s transactions were executed on-chain and are fully traceable through Optimism Etherscan, with the attack transaction hash documented for forensic analysis. The immediate impact was the draining of liquidity from multiple lending pools, leaving depositors unable to withdraw their funds.
The Mitigation Strategy
In the immediate aftermath, the Sonne Finance team took several steps to contain the damage. They promptly paused all markets on Optimism to prevent further exploitation and began coordinating with security researchers and on-chain investigators. The team sent an on-chain message to the exploiter, offering a 10% bounty — approximately $2 million — in exchange for the return of 90% of the stolen funds.
Crucially, the rapid response from the crypto security community played a significant role in damage limitation. Contributors from Seal911, part of the Security Alliance, acted swiftly and managed to salvage approximately $6.5 million by adding a minimal amount of VELO tokens to the affected pools before the attacker could drain them completely. This intervention demonstrated the growing capability of white-hat security responders in the DeFi ecosystem.
Lessons Learned
The Sonne Finance exploit reinforces several critical security lessons for the DeFi community. First, Compound v2 forks remain inherently vulnerable to donation attacks, and any protocol building on this codebase must implement additional safeguards beyond the original design. The vulnerability has been documented extensively, yet projects continue to launch without adequate protections.
Second, the timing-based nature of this exploit highlights the risks associated with timelock-governed protocol upgrades. While timelocks are designed to provide transparency and security, they can also create predictable windows of vulnerability that sophisticated attackers can exploit. Protocols should consider implementing real-time monitoring and circuit breakers that can detect anomalous behavior during governance execution windows.
Third, the rapid response from Seal911 and the broader security community demonstrates the value of proactive security partnerships. Protocols that establish relationships with white-hat responders before incidents occur are better positioned to limit damage when exploits happen.
User Action Required
Users who had funds deposited in Sonne Finance’s Optimism markets should monitor the protocol’s official communication channels for updates on fund recovery efforts. The $6.5 million salvaged by the Security Alliance, combined with any funds potentially returned through the bounty offer, may form the basis of a partial reimbursement plan. Users should exercise caution with any unsolicited messages claiming to offer recovery assistance, as post-exploit phishing attempts are common. Additionally, DeFi users across all platforms should review their exposure to Compound v2 fork protocols and assess whether the platforms they use have implemented adequate protections against known donation attack vectors.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
compound v2 forks getting exploited every other month and nobody learns. $20m drained because a timelock window was sitting open for 2 days with no monitoring in place
the two-day timelock is standard for governance changes but you’re right, having zero alerts on pending multisig tx for a protocol holding $20m is negligence
two-day timelock on a multisig holding $20m is wild. you could literally set up a telegram bot to watch pending tx in 10 lines of python
This is exactly the kind of development the space needs
the attacker timed it perfectly with the VELO market integration governance vote. watched the proposal pass, waited for the timelock, executed. cold blooded
watching governance proposals for attack windows is becoming a full time job. seen 3 exploits this year alone that followed the same pattern
exactly. this is why i stay away from any protocol mid-governance-change. that window between proposal execution and deployment is when you’re most exposed
the attacker watched the VELO governance vote pass and just waited. coldest execution ive seen since the mango markets exploit
compound v2 has known donation attack vectors documented since 2020. at this point if youre forking it without additional safeguards thats on you
burn_cobra_ facts. compound v2 donation vectors were literally in the openaudit docs from 2022. forking without wrapping collateralFactor checks is just asking for it
The fundamental value proposition of crypto keeps getting stronger