Zunami Protocol’s Stablecoin Pools Exploited, Suffers $2.1M Loss

  • DeFi yield aggregator Zunami Protocol confirmed that a hacker had attacked its “zStables” pools on Curve Finance using a price manipulation exploit.
  • Security firm PeckShield has estimated that over $2.1 million was lost during the attack, while SlowMist said it had informed Zunami of the vulnerability two months ago.
hack

Shutterstock

Decentralized finance (DeFi) yield aggregator Zunami Protocol warned users that it has fallen victim to an exploit that affected its “zStables” pools on Curve Finance, the platform said via Twitter on 14 August.

According to the DeFi platform, users should stay away from its Zunami Ether (zETH) and Zunami USD (UZD) stablecoins for the time being, as their “emission has been attacked” on Curve Finance. The yield aggregation platform assured its users that the “collateral remain secure”, and that its team has started investigating how exactly the attack was carried out. Zunami Protocol tweeted:

Blockchain security firm PeckShield pointed out that the exploit was carried out over two key transactions, and that it was a price manipulation issue which could be exploited by “donation to incorrectly calculate the price” of assets. The security firm has also estimated that more than $2.1 million was stolen from Zunami’s “zStables” pool on Curve Finance, and noted that the funds have already been washed through mixing service Tornado Cash.

Blockchain security firm SlowMist’s founder Xian Yu later claimed that his company had identified Zunami Protocol’s vulnerability two months ago, and had informed the platform “privately in advance”. He added that the communication “was an unpleasant experience”, and had the platform listened to SlowMist the $2.1 million exploit “could have been avoided”.

Discussion
Related Coverage
Balancer Exploited After Giving Warning
  • DeFi protocol Balancer confirmed it was exploited almost a week after disclosing a critical vulnerability affecting several of its boosted pools.
  • The platform did its best to mitigate some of the risks but was unable to pause the affected pools, and an estimated $980,000 in DAI were stolen in an attack.
August 28, 2023, 1:55 PM
unlock

Shutterstock

Curve Exploited for $41M Due to Vyper Vulnerability
  • Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper have malfunctioning reentrancy locks, which left smart contracts compiled with them vulnerable to reentrancy attacks.
  • An estimated 460 contracts were compiled using these versions of Vyper which resulted in millions being lost to attacks, with Curve Finance reportedly losing $41 million.
Sturdy Finance Exploited for $800,000
  • The decentralized lending protocol paused all its markets after an attacker used a manipulated price oracle to steal 442 ETH from the platform.
  • Blockchain security firm BlockSec noted that the attacker used a reentrancy vulnerability to manipulate a price oracle that determined the prices of assets in a liquidity pool on Balancer.