According to blockchain security firm PeckShield, Zunami Protocol, a decentralized yield farming aggregator for stablecoin staking, fell victim to a price manipulation attack, resulting in losses of over $2.1 million.
On August 14, PeckShield took to X to reveal that Zunami Protocol encountered an attack in its stablecoin pools on Curve Finance that led to losses of over $2.1 million. The security firm blamed the exploit on a price manipulation issue, adding the stolen funds had been washed via US-sanctioned mixing service Tornado Cash. PeckShield wrote,
“It is a price manipulation issue, which can be exploited by donation to incorrectly calculate the price.”
Hi @ZunamiProtocol Today's hack leads to >$2.1m loss and there are two hack txs involved:
– tx1: https://t.co/jsOmPT62mk
– tx2: https://t.co/u7YOvoS0R9It is a price manipulation issue, which can be exploited by donation to incorrectly calculate the price as shown in the… https://t.co/yqwMVy0pCA pic.twitter.com/OfrDni7KtE
— PeckShield Inc. (@peckshield) August 14, 2023
Zunami Protocol Falls Victim to a DeFi Attack
Following PeckShield’s warning, Zunami Protocol confirmed that attack, stating the collateral remained secure and the team has started to investigate. The decentralized finance (DeFi) protocol wrote,
“It appears that zStables have encountered an attack. Please do not buy zETH and UZD at the moment. [Their] emission has been attacked.”
The hack was also reported by fellow blockchain security firm Ironblocks, explaining, the attacker took a flash loan from the balancer, then added liquidity so he would be able to change the price significantly and started to trade in Zunami’s exchange.
4. then he traded back and return the flashloan and got 1,152 eth to himself, classic price manipulation pic.twitter.com/t3l1Tw4vF7
— Ironblocks (@Ironblocks_) August 14, 2023
Following this, the attacker then removed the liquidity and changed the price, trading back, and returned the flash loan netting 1,152 ETH. Ironblocks, further, labeled the hack as “Classic price manipulation.”
Could the Attack have been Avoided?
Adding to speculations, Xian Yu, founder of blockchain security firm SlowMist, highlighted on X that their firm had identified the vulnerability two months ago and informed the Zunami Protocol, and emphasized the attack could have been avoided,
“This project was attacked by price manipulation and lost more than 2.1 million US dollars. The key point is that our system detected their risk two months ago, and we informed them privately in advance. Unfortunately, it was an unpleasant communication… It now appears that perhaps they were avoidable”
🙂这个项目被价格操纵攻击,损失超 210 万美金。关键点是,两个月前我们系统就扫到他们这个风险,提前就私下告知他们了,可惜那是一次不愉快的沟通…
现在看来,也许他们是可以避免的。 https://t.co/w4cPUVviZl
— Cos(余弦)😶🌫️ (@evilcos) August 14, 2023
Zunami Protocol managed as a decentralized autonomous organization (DAO), is a yield farming aggregator for stablecoin staking, and maintained its primary “zStables” pool on Curve, which enables the decentralized exchange (DEX) of stablecoins within Ethereum (ETH). The protocol had promised the highest APY on the market and touted a $5 million total value locked on its website.
DeFi Remains Vulnerable to Hackers
Cryptocurrency hacks, network exploits, price manipulation attacks including several other nefarious ways have continued plaguing the digital assets ecosystem for a very long time, especially DeFi. Decentralized protocols were the primary targets of these hackers, accounting for over 80% of all cryptocurrency stolen in 2022.
Last week, Cypher Protocol, a decentralized futures exchange operating on the Solana (SOL) blockchain, suffered a security breach on Monday, resulting in an estimated loss of around $1 million.
Although the stolen amount has witnessed a sharp plunge this year compared to the previous year, blockchain security audit firm CertiK revealed crypto traders have already lost a stomach-churning $303 million worth of digital assets in cryptocurrency exploits and attacks in July, making it the worst month this year so far in terms of stolen value.