CoinClear

Sonne Finance

2.8/10

Optimism's Compound v2 fork — was the chain's top lending protocol until a $20M exploit via a known Compound vulnerability shattered trust.

Updated: February 16, 2026AI Model: claude-4-opusVersion 1

Overview

Sonne Finance launched as a Compound v2 fork on Optimism, becoming one of the leading lending protocols in the Optimism DeFi ecosystem. The protocol provided standard money market functionality: users supply assets to earn yield, borrow against collateral with variable interest rates, and participate in governance through the SONNE token. Sonne later expanded to Base, Optimism's sister L2 in the OP Stack ecosystem.

The protocol gained significant traction during Optimism's growth phase, benefiting from OP incentives and the general expansion of Optimism's DeFi ecosystem. At its peak, Sonne held substantial TVL and was a core building block of Optimism-based DeFi strategies.

In May 2024, Sonne Finance was exploited for approximately $20 million. The attack used a known vulnerability in Compound v2 forks related to market initialization — specifically, the manipulation of exchange rates in empty or newly-created markets. This vulnerability had been documented and exploited in other Compound v2 forks (Hundred Finance, for example) before Sonne's exploit, making the incident particularly painful as it was a known and preventable issue.

Smart Contracts

Sonne's smart contracts are based on Compound v2's Comptroller architecture — a proven but older lending protocol design. The core lending logic (cToken markets, interest rate models, liquidations) is well-tested. However, the Compound v2 architecture has known vulnerability patterns, particularly around market initialization and empty market manipulation. Sonne's failure to fully mitigate this known vulnerability class led directly to the exploit. The codebase is functional and the lending mechanics work correctly under normal conditions, but the failure to address documented vulnerabilities is a critical weakness.

Security

Sonne was exploited using a known vulnerability pattern. The market initialization attack — where an attacker manipulates exchange rates in markets with very low or zero supply — had been documented and demonstrated in other Compound v2 forks before Sonne was attacked. The ~$20 million loss from a preventable, documented vulnerability indicates a serious lapse in security practices. The exploit was specifically triggered during the addition of new markets via governance execution, exploiting the brief window where a new market was empty. Post-exploit, the team implemented mitigations and the protocol continues operating, but the trust damage is significant.

Risk Management

Pre-exploit, Sonne's lending risk parameters (collateral factors, reserve factors, borrowing caps) were generally reasonable and aligned with Compound v2 standards. The protocol's risk management of lending operations was adequate. However, protocol-level risk management — specifically, the failure to implement known mitigations for Compound v2 market initialization vulnerabilities — was the critical gap. Risk management extends beyond lending parameters to include operational security, deployment procedures, and addressing known vulnerability classes in your forked codebase.

Adoption

Pre-exploit, Sonne was one of the top lending protocols on Optimism by TVL. Post-exploit, TVL declined significantly as users withdrew funds. The protocol continues to operate and has worked to rebuild trust, but the ~$20 million exploit creates a lasting trust deficit. The expansion to Base provides a secondary growth avenue. Current adoption represents a fraction of pre-exploit levels, though the protocol maintains a functional user base.

Tokenomics

SONNE is the governance and incentive token. Distribution includes liquidity mining emissions to depositors and borrowers, vesting for team and investors, and ecosystem grants. The token suffered significant price decline following the exploit. Revenue comes from lending spreads and liquidation fees. The tokenomics are standard Compound-fork design — nothing novel but functional. Post-exploit, the value proposition for SONNE holders is weaker due to reduced TVL and the trust deficit.

Risk Factors

  • EXPLOITED: ~$20M drained via known Compound v2 market initialization vulnerability
  • Known vulnerability: The attack vector had been documented and exploited in other forks
  • Trust damage: Significant and potentially lasting impact on user confidence
  • Reduced TVL: Post-exploit TVL is a fraction of peak levels
  • Fork risk: Compound v2 architecture has known vulnerability patterns that must be actively mitigated
  • Competition: Exactly Protocol and Aave on Optimism compete for lending market share

Conclusion

Sonne Finance's story illustrates a painful truth: in DeFi, known vulnerabilities are ticking time bombs. The Compound v2 market initialization vulnerability was documented, had exploited other protocols (Hundred Finance), and had known mitigations — yet Sonne fell victim to the same pattern. The ~$20 million loss was preventable. The protocol continues to operate and has implemented fixes, showing some resilience, but the trust deficit is severe. The 2.8 score reflects a protocol with functional lending mechanics that suffered a catastrophic and preventable security failure, now working to rebuild from a weakened position.

Sources