Sonne Finance, a decentralized non-custodial lending protocol on Optimism and Base, appears to have been exploited for at least $20 million, according to blockchain security firm PeckShield’s estimates. 

 

In an update on X, the Sonne Finance team said it had paused all markets on Optimism, noting that markets on Base remained safe. 

Sonne Finance is a fork of Compoud V2, whose original codebase has certain documented vulnerabilities that protocols who copy the code have to be mindful of patching. The same bug has been exploited before in the case of Hundred Finance and Midas Capital last year, where the attacker manipulates the exchange rate to inflate the value of collateral, using just a small amount of tokens to drain lending pools.

In the case of Sonne Finance’s exploit, the team deployed a new market contract for VELO and a governance proposal to activate it. After the proposal was passed four days later, the attacker made sure they were the first to execute the contract after the 24-hour timelock on the contract had expired.

 

According to data from DeFiLlama, Compound V2 has 128 forks, but that doesn’t necessarily put all of them at risk to the same type of exploit. As long as these protocols activate new markets without enabling collateral, and ensure there are never zero suppliers in the market. 

Meanwhile, one MEV researcher who goes by the X handle “@tonyke_bot” from blockchain security startup Fuzzland, said the team managed to save $6.5 million from the attacker by adding$100 in collateral to the soVELO pool.

In a post mortem report, the Sonne Finance team published a list of wallet addresses tied to the exploiter. They noted that the multisig execution was not permissionless on Base, but was permissionless on Optimism which is what enabled the exploiter to carry out the attack. 

“We are sincerely sorry about the situation, and we are doing everything in our power and we are in contact with anyone that can help with recovering the funds,” said the team.