On the 13th of August 2023, at around 10:30 pm UTC, Zunami Protocol suffered a price manipulation attack and lost approximately $2.1 million.
What is Zunami?
Zunami is a yield farming aggregator that claims to allow the staking of stablecoins with the highest yield in the market by aggregating the most profitable DeFi protocols. It also helps users diversify their stablecoin portfolio and avoid the risk of crashing them.
Zunami’s Response
Zunami took to Twitter to request users not to buy zETH and UZD at the moment.
Hack Traced Back to a Price Manipulation Scheme
What is Price Manipulation?
Price Manipulation is an act of manipulating market prices of tokens by continuously buying and selling the same asset in order to inflate its price artificially. This susceptibility is usually aggravated using flash loan attacks.
In this case, the attacker artificially inflated the pool's value by injecting a donation into it. Subsequently, the tokens under the attacker's control assumed an inflated and deceptive value. This facilitated the siphoning of $2.1 million worth of tokens from the project's reserves.
Merkle Science’s Flow of Funds Analysis
Summary of the Hack
1. The perpetrator carried out the attack, commencing with the acquisition of a flash loan. This was used to set in motion two separate exploit transactions that helped him manipulate token values.
2. Subsequently, a sequence of swap transactions was executed across both exploit transactions adding and removing liquidity to ultimately gain a sum amounting to approximately 1,179 ETH.
3. The exploit's target was the zStables pools within the Curve Finance protocol that were drained by manipulating the price of both Zunami Ether (zETH) and Zunami USD (UZD)
4. These proceeds were then transferred to the attacker's designated address which in turn was cashed out using Tornado Cash.
5. Price manipulation looms large as a recognized avenue of attack leading to devastating setbacks arising from business logic vulnerabilities.
6. In the case of the Zunami Protocol, an insecure code pattern was employed to calculate the token value, inadvertently exposing the protocol to this exploit.
MERKLE SCIENCE’S BLOCKCHAIN FORENSICS TOOL ‘TRACKER’ HELPS VISUALIZE THE FLOW OF FUNDS
Mitigation and Best Practices