Lending protocol Sonne Finance faces $20 million exploit, pauses markets on Optimism

Sonne Finance, a decentralized lending protocol, experienced an exploit on Wednesday morning in Asia, resulting in losses amounting to approximately $20 million.

The project said in a post-mortem report that it was exploited due to a vulnerability in Compound v2 forks (Sonne is one). The hacker “was able to exploit the protocol for ~$20M with the known donation attack.”

In response to the attack, Sonne Finance wrote in a post on X that it had paused all markets on Optimism, while those on Base remained operational.

Sonne Finance’s move came shortly after blockchain security firm PeckShield warned on X and advised Sonne to check their timelock contract. The team added that it became aware of the issue “25 minutes after the exploit.”

The team explained in the post-mortem that it recently passed a proposal to add VELO markets to Sonne. 

“We scheduled the transactions on multisig wallet, and because there is 2 days timelock, we also scheduled c-factors to be executed in 2-days,” the team wrote. “The exploiter executed 4 of the transactions when 2-day timelock ends for the creation of markets, and after that, executed the transaction for adding c-factor to the markets.”

Sonne added that while they aren’t able to save the funds, “the investigation on the exploiter’s identity is still going on.” 

The project said it is ready to offer a bounty to the exploiter in exchange for return without disclosing more details.