defirisk.co
rubric v1.7.0

Sonne Finance: Compound V2 empty-market donation attack — permissionless governance execution + exchange rate manipulation

Sonne Finance lost $20M to the exact same Compound V2 donation attack that hit Hundred Finance a year earlier, after their own auditor explicitly flagged the vulnerability as high-severity.

Occurred 2024-05-14 Loss $20M Status closed

Summary #

Sonne Finance suffered a Lending / Money Market (Compound V2 fork) on 2024-05-14, resulting in a loss of approximately $20M.

What happened #

Sonne Finance lost $20M to the exact same Compound V2 donation attack that hit Hundred Finance a year earlier, after their own auditor explicitly flagged the vulnerability as high-severity.

Linked factors #

  • RD-F-001 — causal : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-006 — causal : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — New VELO market was being activated; the vulnerability existed in the base Compound V2 fork code activated by the new market] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — New VELO market was being activated; the vulnerability existed in the base Compound V2 fork code activated by the new market]
  • RD-F-008 — causal : Ignored disclosure — closest [via cross-hack: Factor 19: Audit Finding Not Communicated to Team] || Ignored bug bounty disclosure — adjacent [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]
  • RD-F-036 — related : ★ Flash-loanable voting weight — adjacent [via cross-hack: Factor 31: Permissionless Governance Execution Window]
  • RD-F-038 — causal : Proposal execution delay < 24h [via cross-hack: Factor 31: Permissionless Governance Execution Window]
  • RD-F-046 — related : ★ Contract unverified at launch — adjacent (no public ABI as a permissionless variant) [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
  • RD-F-072 — causal : Market-listing governance threshold = permissionless [via cross-hack: Factor 7: Permissionless Feature Without Safety Validation]
  • RD-F-100 — illustrative : Flash loan > $10M origination — RT signal [via realtime_signals/Unusual borrowing: Y — Massive flash-loan-funded borrowing across multiple markets in a single transaction]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — Governance proposal added new market with collateral factor; permissionless execution on Optimism]
  • RD-F-126 — causal : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked?: Y — Compound V2 fork]
  • RD-F-127 — related : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked?: Y — Compound V2 fork]
  • RD-F-146 — related : New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded?: Y — New VELO market was being activated; the vulnerability existed in the base Compound V2 fork code activated by the new market]
  • RD-F-177 — causal : Cat 13: Prior known-ignored disclosure [via cross-hack: Factor 3: Ignored / Dismissed Security Disclosure]