The decentralized lending protocol Sonne Finance suffered a devastating exploit on May 14, 2024, losing approximately $20 million in what security researchers have identified as a sophisticated timelock manipulation attack. The incident underscores the persistent vulnerabilities facing DeFi platforms built on forked codebases, even as the broader crypto market navigates a period of elevated prices and increased on-chain activity.
The Exploit Mechanics
The attacker targeted a well-known vulnerability in Compound v2 forks known as the “donation attack.” This technique involves manipulating the collateral factors of a lending pool to artificially inflate the value of deposited collateral. In this case, the vulnerability was exploited through a misalignment in the execution timing of critical governance transactions. Sonne Finance had recently passed a proposal to integrate VELO markets, with transactions scheduled on a multi-sig wallet featuring a 2-day timelock. The attacker anticipated the execution window and positioned four transactions to execute precisely when the timelock ended, setting up the markets before triggering the collateral factor increase.
Affected Systems
The attack primarily impacted Sonne Finance, a non-custodial decentralized exchange operating on the Optimism network. The protocol, which allows users to lend and borrow various cryptocurrencies, saw its lending pools drained of approximately $20 million in digital assets. The native token of Sonne Finance plunged 55% in the hours following the attack, reflecting investor panic and a sharp loss of confidence. The exploit also exposed risks in the broader ecosystem of Compound v2 forks, many of which share similar architectural vulnerabilities. Optimism, the Layer 2 network hosting the protocol, was not itself compromised, but the incident highlights the growing target surface on Ethereum Layer 2 solutions as DeFi activity migrates to these networks.
The Mitigation Strategy
Following the attack, the Sonne Finance team took immediate action by pausing all markets to prevent further losses. The protocol sent an on-chain message to the exploiter, offering a 10% bounty in exchange for the return of 90% of the stolen funds. Security Alliance contributors from Seal911 intervened swiftly, managing to salvage approximately $6.5 million by adding a minimal amount of VELO to the affected markets before the attacker could drain them completely. The Immunefi platform, which tracks crypto losses, reported that May 2024 saw $52 million in total losses across the industry, a 12% decrease compared to May 2023. Hacks accounted for $50 million across 14 incidents, while fraud represented just $1.7 million or 3.3% of total losses.
Lessons Learned
The Sonne Finance exploit reinforces several critical lessons for DeFi protocols. First, timelock mechanisms must be designed with front-running protection to prevent attackers from anticipating and exploiting governance execution windows. Second, protocols built on forked code inherit not just functionality but also known vulnerabilities from their parent codebases. Third, the speed of response matters enormously — the Seal911 team saved $6.5 million by acting within minutes. Finally, the dominance of DeFi targets in May 2024 losses, with CeFi platforms experiencing zero major attacks, suggests that decentralized architectures remain more vulnerable to technical exploits than their centralized counterparts.
User Action Required
Users who had funds deposited in Sonne Finance should monitor official channels for updates on the recovery process and any potential reimbursement plans. Those interacting with other Compound v2 forks should verify whether their platforms have implemented patches for the donation attack vulnerability. As Bitcoin trades at approximately $61,400 and Ethereum at $2,928, the broader market remains in a bullish phase, but investors should exercise heightened due diligence when allocating capital to DeFi protocols, particularly those on newer Layer 2 networks. Always verify audit reports and check whether protocols have implemented time-tested security measures before depositing significant funds.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
compound v2 forks and the donation attack vector, its literally in every audit report since 2022. how does a team launching on optimism miss this
bro the attacker queued 4 txs to execute right when the timelock ended. thats not sophisticated, thats just watching the mempool with patience lol
watching the mempool for timelock expiry is basic MEV strategy. the attacker was patient, not genius. teams need to randomize execution windows or use commit-reveal
compound v2 donation attack is literally chapter 1 in every defi audit guide since 2022. if your protocol forks it you need to address every known vulnerability by default
every compound v2 fork has the same donation attack in its audit findings. teams see it, acknowledge it, then somehow still ship without fixing it
The timelock window exploit is the real story here. Scheduling governance transactions on a 2-day timelock with no slippage protection gave the attacker a predictable execution window. Teams need to stagger these.
$20m gone because a governance proposal execution window was predictable. defi governance needs an overhaul, timelocks alone are not enough
timelocks are transparent by design, maybe thats the problem. execution privacy for governance actions would prevent front-running