<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">

Hack Track: Zunami Flow of Funds Analysis

On the 13th of August 2023, at around 10:30 pm UTC, Zunami Protocol suffered a price manipulation attack and lost approximately $2.1 million.

What is Zunami?

Zunami is a yield farming aggregator that claims to allow the staking of stablecoins with the highest yield in the market by aggregating the most profitable DeFi protocols. It also helps users diversify their stablecoin portfolio and avoid the risk of crashing them

Zunami’s Response

Zunami took to Twitter to request users not to buy zETH and UZD at the moment. 

Hack Traced Back to a Price Manipulation Scheme

What is Price Manipulation?

Price Manipulation is an act of manipulating market prices of tokens by continuously buying and selling the same asset in order to inflate its price artificially. This susceptibility is usually aggravated using flash loan attacks.

In this case, the attacker artificially inflated the pool's value by injecting a donation into it. Subsequently, the tokens under the attacker's control assumed an inflated and deceptive value. This facilitated the siphoning of $2.1 million worth of tokens from the project's reserves.

 Merkle Science’s Flow of Funds Analysis

Summary of the Hack

  1. The perpetrator took a flash loan and injected large amounts into the protocol’s pools. 
  2. The zStables pools within the Curve Finance protocol were exploited by manipulating the prices of zETH and UZD.
  3. These proceeds were then transferred to the attacker’s wallet and cashed out using Tornado Cash.
1. The perpetrator carried out the attack, commencing with the acquisition of a flash loan. This was used to set in motion two separate exploit transactions that helped him manipulate token values.


2. Subsequently, a sequence of swap transactions was executed across both exploit transactions adding and removing liquidity to ultimately gain a sum amounting to approximately 1,179 ETH.


3. The exploit's target was the zStables pools within the Curve Finance protocol that were drained by manipulating the price of both Zunami Ether (zETH) and Zunami USD (UZD)


4. These proceeds were then transferred to the attacker's designated address which in turn was cashed out using Tornado Cash.


5. Price manipulation looms large as a recognized avenue of attack leading to devastating setbacks arising from business logic vulnerabilities.


6. In the case of the Zunami Protocol, an insecure code pattern was employed to calculate the token value, inadvertently exposing the protocol to this exploit.


Mitigation and Best Practices

  1. Protocols should incorporate additional layers of security, employing a minimum of two oracles for price validation. This measure would effectively reduce the impact of potential breaches and establish robust scrutiny of essential functions that are publicly accessible.
  2. Vigilantly monitor occurrences of fraudulent deposits and revoke transactions containing fraudulent deposits and transfers. 
  3. Use accurate smart contract vulnerability scanners and auditors.