The decentralized finance (DeFi) platform, Zunami Protocol, faced a significant setback as its liquidity pool on Curve Finance fell victim to an attack over the weekend, resulting in a loss exceeding $2.1 million. The exploit was promptly identified by blockchain security companies PeckShield and Ironblocks.
Zunami Protocol, operating as a decentralized autonomous organization (DAO), maintained its primary liquidity pool, named “zStables,” on Curve Finance. This particular pool facilitated the decentralized exchange (DEX) of stablecoins within the Ethereum ecosystem. Known for promoting an attractive annual percentage yield (APY) and boasting $5 million in total value locked, Zunami Protocol positioned itself as a yield farming aggregator for stablecoin staking.
The attack methodology bears a familiar pattern to seasoned blockchain observers. The assailant employed a flash loan from Balancer, enabling the addition of liquidity to influence prices on Zunami’s exchange. By manipulating the prices, the attacker engaged in trades that ultimately culminated in the theft of 1,152 ETH. Ironblocks succinctly characterized this sequence as “classic price manipulation.”
PeckShield, another blockchain analysis firm, corroborated the attack’s discovery and promptly notified the Zunami Protocol via Twitter. The breach resulted in a loss exceeding $2.1 million across two separate transactions due to price manipulation, leading to an incorrect calculation of prices.
Following the breach, Zunami Protocol took to Twitter to address the situation, assuring the community that the collateral remained secure while an ongoing investigation was conducted. As a precautionary measure, the protocol advised users not to engage in the purchase of zETH and UZD tokens, both of which were targeted in the attack.
The consequences of the hack were profound, with the Zunami USD stablecoin (UZD) plummeting by more than 99% and the Zunami Ether (zETH) witnessing an 88% decline, down to a value of $206. The stolen funds were reportedly laundered through the controversial coin mixer Tornado Cash.
Notably, Curve Finance has been grappling with a series of attacks in recent weeks, grappling to recover approximately $19 million stolen by a hacker. In response, Curve Finance has offered a $1.8 million bounty for information leading to the identification of the perpetrator. The repeated breaches within Curve Finance underscore the persistent challenges and vulnerabilities that continue to plague the DeFi ecosystem, calling for heightened security measures and vigilance among both users and platforms.