Key Points:
- Zunami Protocol, a DeFi yield farming aggregator, suffers a $2.1 million loss in a price manipulation attack.
- Attacker utilized flash loan to alter prices, executed trades, and manipulated prices further.
- Zunami’s stablecoins experience severe value drops; investigation ongoing into breach.
The decentralized finance (DeFi) yield farming aggregator known as the Zunami Protocol has fallen victim to a significant breach, resulting in a loss exceeding $2.1 million. The breach, orchestrated through a price manipulation scheme, targeted Zunami’s liquidity pool on Curve Finance. This incident was officially confirmed by Zunami Protocol on Sunday and subsequently verified by blockchain security companies PeckShield and Ironblocks.
Zunami Protocol operates as a decentralized autonomous organization (DAO) and specializes in stablecoin staking through its yield farming aggregation. Its primary “zStables” pool, hosted on the Curve platform, facilitates the decentralized exchange of stablecoins within the Ethereum network.
Promising the “highest APY on the market,” Zunami Protocol had garnered attention with its claimed $5 million total locked value, allowing users to diversify their stablecoin holdings and mitigate the risk associated with any single stablecoin’s volatility.
The attack strategy employed by the perpetrator was familiar to observers of the blockchain space. Utilizing a flash loan from the balancer, the attacker injected liquidity to significantly alter the price, executed trades within Zunami’s exchange, and subsequently manipulated the price further after removing the injected liquidity. This sequence allowed the attacker to profit by exploiting price fluctuations.
Both Ironblocks and PeckShield, prominent firms specializing in blockchain analysis, detected the attack on Zunami Protocol. PeckShield promptly informed the protocol about the breach via Twitter. They detailed that the incident resulted in a loss of more than $2.1 million, attributing it to a flaw in price calculation due to the manipulation.
Zunami Protocol acknowledged the attack on social media, ensuring the security of the collateral while initiating an ongoing investigation. They advised against purchasing certain assets, specifically zETH and UZD, which were directly affected by the attack.
The breach had severe repercussions on the value of Zunami’s stablecoins. The Zunami USD stablecoin (UZD) plummeted by more than 99%, while Zunami Ether (zETH) experienced an 88% drop, sinking to $206.
The funds obtained from the attack were subsequently laundered through the controversial coin mixer known as Tornado Cash, as reported by the firm.
Curve Finance, the platform hosting Zunami Protocol’s liquidity pool, has faced a series of attacks in recent weeks. In an effort to recover approximately $19 million stolen by a hacker, the platform offered a bounty of $1.8 million for information leading to the identification of the responsible party.