Zunami Protocol, a decentralized finance (DeFi) project, fell victim to a malicious attack on August 13th, leading to an approximate loss of $2.1 million. Designed as a decentralized revenue aggregator, Zunami Protocol enables users to earn yield by staking stablecoins. The exploit specifically targeted Zunami's Curve pools, adding the project to the growing list of protocols impacted by the recent attack on Curve Finance.
The vulnerability was initially identified by PeckShield, a blockchain security company, which promptly alerted Zunami Protocol about the exploit on social media platform X (previously Twitter).
According to PeckShield, the attack, which has resulted in the bad actor acquiring $2.1 million and potentially more, involved manipulating prices through donations to the protocol. A detailed post-mortem analysis was also provided by Ironblocks, another blockchain security firm.
Following the usual pattern, the attack began with a flash loan from Zunami, followed by the addition of liquidity and trades executed at inflated prices. The borrowed funds were eventually returned, and the attacker walked away with a substantial profit of $2 million.
The exploit targeted the zStables pools of Zunami Protocol on Curve Finance, leading to price manipulation of both Zunami Ether (zETH) and Zunami USD (UZD). The manipulation caused significant disruption to the stability of the latter, resulting in its value diverging significantly from its intended peg. As of now, 1 UZD is valued at $0.0098, according to CoinGecko.
Not long after receiving the alert from PeckShield, Zunami Protocol acknowledged the attack. Additionally, the team advised users of the platform to refrain from acquiring the impacted tokens, emphasizing that the exploit had not yet been resolved.
“It appears that zStables have encountered an attack. The collateral remain secure, we delve into the ongoing investigation. Please do not buy zETH and UZD at the moment, their emission has been attacked.”
The crypto community swiftly mocked the news, highlighting the irony of the protocol's assertion of having a "battle-tested" depeg prevention system.
Nonetheless, the collateral supporting UZD is reportedly secure, implying that users should eventually recover their funds. However, Zunami's website lists Curve as one of the collateral holders, which raises concerns about the reliability of these reserves.
“The $UZD is backed by the LP of the Zunami Protocol DAO Strategy, which proxies funds in most major DeFi protocols that have been extensively audited, including Curve, Convex & Stake DAO.”
Currently, the Zunami developers have not released any additional details regarding the potential methods for recovering user losses.