Zunami Protocol’s Stablecoin Pools Exploited, Suffers $2.1M Loss

  • DeFi yield aggregator Zunami Protocol confirmed that a hacker had attacked its “zStables” pools on Curve Finance using a price manipulation exploit.
  • Security firm PeckShield has estimated that over $2.1 million was lost during the attack, while SlowMist said it had informed Zunami of the vulnerability two months ago.


Decentralized finance (DeFi) yield aggregator Zunami Protocol warned users that it has fallen victim to an exploit that affected its “zStables” pools on Curve Finance, the platform said via Twitter on 14 August.

According to the DeFi platform, users should stay away from its Zunami Ether (zETH) and Zunami USD (UZD) stablecoins for the time being, as their “emission has been attacked” on Curve Finance. The yield aggregation platform assured its users that the “collateral remain secure”, and that its team has started investigating how exactly the attack was carried out. Zunami Protocol tweeted:

Blockchain security firm PeckShield pointed out that the exploit was carried out over two key transactions, and that it was a price manipulation issue which could be exploited by “donation to incorrectly calculate the price” of assets. The security firm has also estimated that more than $2.1 million was stolen from Zunami’s “zStables” pool on Curve Finance, and noted that the funds have already been washed through mixing service Tornado Cash.

Blockchain security firm SlowMist’s founder Xian Yu later claimed that his company had identified Zunami Protocol’s vulnerability two months ago, and had informed the platform “privately in advance”. He added that the communication “was an unpleasant experience”, and had the platform listened to SlowMist the $2.1 million exploit “could have been avoided”.

Related Coverage
Unibot to Compensate Users Affected by Exploit
  • Popular Telegram bot Unibot, which is used to snipe trades on Uniswap, became a victim of a token approval exploit earlier today, when it was switching to a new router.
  • After confirming the exploit, Unibot assured users that their keys and wallets were safe, and that the project will compensate all affected users.
October 31, 2023, 3:01 PM


Balancer Exploited After Giving Warning
  • DeFi protocol Balancer confirmed it was exploited almost a week after disclosing a critical vulnerability affecting several of its boosted pools.
  • The platform did its best to mitigate some of the risks but was unable to pause the affected pools, and an estimated $980,000 in DAI were stolen in an attack.
Curve Exploited for $41M Due to Vyper Vulnerability
  • Versions 0.2.15, 0.2.16, and 0.3.0 of Vyper have malfunctioning reentrancy locks, which left smart contracts compiled with them vulnerable to reentrancy attacks.
  • An estimated 460 contracts were compiled using these versions of Vyper which resulted in millions being lost to attacks, with Curve Finance reportedly losing $41 million.