Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 191Smart Contract Bug

Sonne Finance Donation Attack

Sonne Finance lost $20M on Optimism to a 'donation attack', a well-known Compound v2 fork exploit hitting the gap between deploying and seeding a new market.

Date
Victim
Sonne Finance
Chain(s)
Optimism
Status
Funds Stolen

On May 14, 2024, the Optimism-based lending protocol Sonne Finance lost approximately $20 million to a textbook "donation attack" — a known vulnerability class in Compound v2 forks that has accounted for over $50M in cumulative losses across half a dozen protocols.

What happened

Compound v2's market-deployment flow has two steps:

  1. Deploy a new market contract (e.g. cVELO for VELO collateral).
  2. Seed the market with an initial deposit that establishes the exchange rate between the underlying token and the cToken.

In a single-transaction batch deployment, this is safe. Split into separate transactions in a permissionless setting, it is exploitable.

Sonne's market-listing process broke deployment into multiple transactions to accommodate governance flow. Between the two steps:

  1. The attacker flash-borrowed 35.5M VELO.
  2. They transferred VELO directly to the empty soVELO contract (a "donation" — no minting, just a raw token transfer).
  3. The soVELO contract's totalCash increased; its totalSupply of cTokens stayed at zero.
  4. The first legitimate depositor — or the attacker themselves — could then deposit a single soVELO and be credited with the entire totalCash balance, due to the broken exchange-rate calculation in the Compound v2 fork's exchangeRateStored function under conditions where supply is non-zero but total deposits are zero-derived.

By repeating the manoeuvre across multiple new markets, the attacker drained ~$20M in deposits before Sonne's team caught up.

Aftermath

  • Sonne's team detected the exploit roughly 25 minutes after the first attack transaction.
  • They paused affected markets and offered a 10% white-hat bounty. The attacker declined and laundered through Tornado Cash.
  • Sonne Finance ultimately wound down lending operations on Optimism.

Why it matters

The donation attack on Compound v2 forks has been documented and patched in the canonical Compound repository for years. Every fork that ships without the integrated market-deployment batch — including Hundred Finance (twice), Midas Capital, Onyx Protocol, and others — has been or will be exploited by the same pattern.

It is the cleanest illustration of why forking a security-sensitive codebase is not the same as inheriting its security: forks need to track the upstream's security patches and their assumptions about how to deploy safely. The cost of skipping that step is well-documented in dollars.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-sonne-finance-hack-may-2024
  2. [02]certik.comhttps://www.certik.com/resources/blog/sonne-finance-incident-analysis
  3. [03]medium.comhttps://medium.com/@SonneFinance/post-mortem-sonne-finance-exploit-12f3daa82b06

Related filings