Skip to main content

Sonne Finance: The "Empty Market" Compound V2 Fork Hack (May 2024)

On May 14, 2024, Sonne Finance, a lending protocol on Optimism and Base, was exploited for approximately $20 million. The hack was not a new discovery; it targeted a well-known vulnerability in Compound V2 forks related to the initialization of new markets (Zero Supply Attack).

Technical Overview

The vulnerability exists in the way Compound V2 forks (and some Aave forks) handle the exchange rate between the underlying asset and the protocol's receipt token (soToken in Sonne's case). When a market is first initialized and has zero total supply, the exchange rate can be manipulated by the first liquidity provider.

Exploit Mechanism: The Zero Supply / Inflation Attack

The attack relies on a rounding error that occurs when the total supply of the receipt token is zero.

  1. Market Launch: Sonne Finance was adding a new market for VELO tokens. The market was created but had no initial deposits.
  2. Initial Deposit: The attacker was the first to provide a tiny amount of liquidity (as little as 1 wei) to the new pool.
  3. Direct Transfer (Inflation): Instead of depositing more through the standard mint() function, the attacker sent a massive amount of the underlying asset directly to the contract address.
  4. Exchange Rate Manipulation: Because the exchangeRate is calculated as (underlyingBalance + totalBorrows) / totalSupply, and totalSupply was extremely small (1 wei), the direct transfer artificially inflated the value of a single soToken to an astronomical level.
  5. Borrowing Against "Dust": The attacker then deposited a small amount of the underlying asset, minted a tiny fraction of a soToken (worth a fortune due to the inflated rate), and used that vastly overvalued "dust" as collateral to borrow and drain other liquid assets from the protocol.

Why This Matters (The "Known Issue" Trap)

This specific vulnerability was already famous in the security community (for example, the Hundred Finance hack in 2023). Sonne Finance had even been warned about it. The exploit highlights the danger of code cloning/forking without fully understanding the edge cases of the parent protocol's initialization logic.

Mitigation Strategies

  • Initial Mint & Burn: When launching a new market, the protocol should mint a small amount of cTokens/soTokens and send them to a "burn address" (like address(0)). This ensures totalSupply is never zero, making the inflation attack economically unviable.
  • Collateral Factor Delay: Keep the Collateral Factor at 0% for new markets for a short period. This allows the market to gain natural liquidity before it can be used as collateral.
  • Monitoring & Pausing: Automated monitoring should flag any direct transfers of underlying assets to pool addresses that do not originate from the mint() function.
  • Rounding Direction: Ensure that the exchange rate calculation always rounds in favor of the protocol (rounding up for borrows, down for collateral value).

Conclusion

The Sonne Finance exploit is a sobering reminder that "audited" code (Compound V2) can still be dangerous when reused in new contexts or when known initialization vulnerabilities are overlooked. For security researchers, it emphasizes the importance of verifying the deployment and initialization process, not just the logic of the smart contract code itself.