DeFi Protocol Zunami Loses Over $2.1 Million in a Major Price Manipulation Attack
Decentralized Finance (DeFi) platform Zunami Protocol has confirmed a price manipulation attack on its “zStables” stablecoin pools on Curve Finance, causing potential losses of over $2.1 million.
The attack is the latest among the list of protocols affected by the recent vulnerability in the popular DeFi platform Curve Finance, which drained funds from a number of the protocol’s liquidity pools, exposing $100+ million worth of cryptocurrencies.
The hacker in the Zunami Protocol’s exploit apparently took flash loan from balancer, blockchain security firm Ironblocks noted. The attacker, then added liquidity to change the price massively and started trading in Zunami’s exchange.
Ironblocks wrote in a Tweet that the liquidity was later removed, which changed the price and finally traded back and returned the flash loan to get 1,1152 ETH.
Fellow blockchain security platform PeckShield was quick to report the attack on Twitter, which immediately notified Zunami Protocol to take “necessary actions.”
The attack netted the bad actor more than $2.1 million, carried out via price manipulation, “which can be exploited by donation to incorrectly calculate the price,” PeckShield wrote in a Tweet.
PeckShield also noted that the stolen funds were sent to coin mixer Tornado Cash, which obscures the transaction path. This further complicates the efforts to track and recover the stolen funds.
Curve Finance platform is still struggling to recover millions of dollars lost in an exploit and recently announced a bounty of $1.85 million to anyone who can identify the attacker.
Zunami Warns Users to Refrain From Buying Stablecoins
Following PeckShield’s warning, Zunami confirmed the attack and said that the “collateral remain secure.” The protocol instructed its users to refrain from buying either of the affected tokens – Zunami Ether (zETH) or Zunami USD (UZD) stablecoins – warning that the exploit is still being fixed.
Soon after the confirmation of attack from Zunami, both the affected tokens plummeted sharply. UZD dropped 99% to nearly $0, losing its peg, while zETH fell by 89% to a low of $206. UZD is currently trading at $0.0118 at press time, according to CoinGecko.
Zunami Protocol, a yield farming aggregator for stablecoin staking, has been promising the highest Annual Percentage Yield (APY) as a decentralized autonomous organization (DAO), with $5 million in Total Value Locked, according to its website.
Zunami also promised users to diversify their stablecoin portfolio while avoiding any crashing risk. The price manipulation risk, however, has put a massive dent in Zunami’s reputation.
SlowMist Reportedly Warned Zunami
Xian Yu, founder of blockchain security platform SlowMist, said that their firm had identified the attack nearly two months before. The Zunami Protocol apparently received warnings from SlowMist, albeit unnoticed until the breach.
Yu said that despite repeated warnings sent to the Protocol, “it was an unpleasant communication.”
The decentralized nature of the DeFi ecosystem makes it a lucrative target for attackers, stressing on the importance of high security measures and timey actions on such vulnerabilities.