Decentralized finance (DeFi) yield aggregator Zunami Protocol warned users that it has fallen victim to an exploit that affected its “zStables” pools on Curve Finance, the platform said via Twitter on 14 August.
According to the DeFi platform, users should stay away from its Zunami Ether (zETH) and Zunami USD (UZD) stablecoins for the time being, as their “emission has been attacked” on Curve Finance. The yield aggregation platform assured its users that the “collateral remain secure”, and that its team has started investigating how exactly the attack was carried out. Zunami Protocol tweeted:
Blockchain security firm PeckShield pointed out that the exploit was carried out over two key transactions, and that it was a price manipulation issue which could be exploited by “donation to incorrectly calculate the price” of assets. The security firm has also estimated that more than $2.1 million was stolen from Zunami’s “zStables” pool on Curve Finance, and noted that the funds have already been washed through mixing service Tornado Cash.
Blockchain security firm SlowMist’s founder Xian Yu later claimed that his company had identified Zunami Protocol’s vulnerability two months ago, and had informed the platform “privately in advance”. He added that the communication “was an unpleasant experience”, and had the platform listened to SlowMist the $2.1 million exploit “could have been avoided”.