Decentralized finance platform Zunami Protocol has become the latest protocol to be hacked after confirming on Sunday that bad actors hacked its liquidity pool on Curve. The exploit led to the protocol losing over $2.1 million, according to estimates from blockchain security firm PeckShield and Ironblocks. Details Of The Hack The protocol confirmed the hack on Sunday, with security firm PeckShield confirming it as well. The protocol advised users to refrain from purchasing any of its Zunami Ether (zETH) or Zunami USD (UZD) stablecoins following the attack. The protocol further added that collateral remained secure and it was investigating the cause of the exploit. “It appears that zStables have encountered an attack. The collateral remain secure, we delve into the ongoing investigation. Please do not buy zETH and UZD at the moment; their emission has been attacked.” Blockchain security firm PeckShield, in an analysis of the attack, estimated that around $2.1 million was stolen from the decentralized finance protocol’s Curve pool and put the exploit down to a price manipulation issue. “Hi @ZunamiProtocol Today’s hack leads to >$2.1m loss, and there are two hack txs involved: - tx1:https://etherscan.io/tx/0x2aec4fdb2a09ad4269a410f2c770737626fb62c54e0fa8ac25e8582d4b690cca - tx2:https://etherscan.io/tx/0x0788ba222970c7c68a738b0e08fb197e669e61f9b226ceec4cab9b85abe8cceb It is a price manipulation issue, which can be exploited by donation to incorrectly calculate the price as shown in the following figures.” Fellow security firm Ironblocks also conducted an analysis of the hack, coming to the same conclusion as PeckShield regarding the cause of the hack. In its analysis, Ironblocks explained, “The attacker took [a] flash loan from [the] balancer, then he added liquidity so he [would] be able to change the price significantly and started to trade in Zunami’s exchange. Then he removed the liquidity and changed the price, then he traded back and [returned] the flash loan and got 1,152 ETH to himself. Classic price manipulation.” Price Of Zunami USD And Zunami ETH Collapses The price of both the Zunami USD stablecoin and Zunami ETH (zETH) fell off a cliff following the exploit. The stablecoin lost its entire value, dropping 99%, while zETH dropped over 88%, dropping to $206. PeckShield also confirmed that the stolen funds had already been put through the controversial coin mixer Tornado Cash. Curve’s Recent Troubles The Zunami protocol is a yield farming aggregator for stablecoins and maintains its primary zStable pools on Curve. The protocol is managed as a decentralized autonomous organization (DAO) and promises users the “highest API on the market.” It has also stated that it has over $5 million in total value locked (TVL) on its website. According to Zunami, users can use the protocol to diversify their stablecoin portfolio and avoid the risk of crashing one of them. Curve Finance has faced multiple attacks over the past few weeks, impacting multiple decentralized finance protocols. Attackers managed to steal over $24 million worth of crypto by leveraging a vulnerability in the liquidity pools on Curve. The vulnerability was eventually traced back to Vyper, a third-party programming language being used to program Ethereum smart contracts on the protocol. At the time, Curve stated that liquidity pools not using Vyper were not impacted. “A number of stablepools (alETH/msETH/pETH) using Vyper 0.2.15 have been exploited as a result of a malfunctioning reentrancy lock. We are assessing the situation and will update the community as things develop. Other pools are safe.” The exploit put major protocols at risk, especially due to Curve founder Michael Egorov’s $168 million lending position, which was at risk of liquidation. Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
