Zunami protocol loses $2.1 mln in price manipulation hack

• The hack exploited the protocol’s vulnerability by utilizing a flash loan to inject liquidity.
• Unknown attackers then manipulated prices and executed trades on the platform’s decentralized exchange.

The Zunami Protocol, a prominent player in the decentralized finance (DeFi) sector, faced a significant setback with a security breach resulting in a loss surpassing $2.1 million. Blockchain security firms PeckShield and Ironblocks reported the breach, which targeted the platform’s liquidity pool hosted on Curve Finance.

Hi @zunamiprotocol, we have detected an ongoing attack. Users are strongly suggested to take necessary actions.

Here is the encrypted hash: 2638ae2969ce932d61c3ca66f9b8a4a6c01c4d89bb2b34ddcf2c4145960f41c4. Actual hash will be released once the situation is stable.

— PeckShield Inc. (@peckshield) August 13, 2023

Operating primarily through the “zStables” pool on the Curve network, Zunami Protocol facilitated decentralized exchange (DEX) services for stablecoins within the Ethereum ecosystem. The protocol aimed to empower users to diversify their stablecoin holdings, reducing the risk tied to the potential collapse of any individual stablecoin.

The attack’s modus operandi appeared familiar to seasoned blockchain observers. Ironblocks shed light on the attacker’s tactics, revealing that they initiated the assault by leveraging a flash loan from the “balancer.”

This loan allowed the attacker to inject liquidity into the system, enabling them to significantly manipulate the price. The attacker traded on the exchange with this liquidity. Subsequently, they withdrew the funds, manipulating the price once more, and concluded by returning the flash loan, pocketing 1,152 ETH in the process.

Price manipulation attack exposes vulnerabilities

PeckShield and Ironblocks, blockchain security experts, provided insights on social media platform X. PeckShield alerted Zunami Protocol to the ongoing attack, advising users to take precautions. Additionally, they identified the breach as a “price manipulation issue” exploitable by malefactors to inaccurately calculate prices.

Hi @ZunamiProtocol Today’s hack leads to >$2.1m loss and there are two hack txs involved:
– tx1: https://t.co/jsOmPT62mk
– tx2: https://t.co/u7YOvoS0R9

It is a price manipulation issue, which can be exploited by donation to incorrectly calculate the price as shown in the… https://t.co/yqwMVy0pCA pic.twitter.com/OfrDni7KtE

— PeckShield Inc. (@peckshield) August 14, 2023

In response, Zunami Protocol promptly engaged with its community, acknowledging the breach. An ongoing investigation was disclosed, with a warning for users against acquiring zETH and UZD.

Please do not buy zETH and UZD at the moment, their emission has been attacked.

— Zunami Protocol (@ZunamiProtocol) August 14, 2023

The attack’s aftermath significantly impacted the prices of Zunami’s native assets. Firstly, the Zunami USD stablecoin (UZD) witnessed a staggering decline of over 98%. Secondly, the Zunami Ether (zETH) plummeted by over 85%, settling at $278.

Adding complexity, the stolen funds were channeled through Tornado Cash, a controversial coin mixing service.

Security challenges are not unique to Zunami Protocol. Curve Finance, the DeFi platform hosting Zunami’s liquidity pool, faced a series of recent attacks.