On the 13th of August 2023, at around 10:30 pm UTC, Zunami Protocol suffered a price manipulation attack and lost approximately $2.1 million.
What is Zunami?
Zunami is a yield farming aggregator that claims to allow the staking of stablecoins with the highest yield in the market by aggregating the most profitable DeFi protocols. It also helps users diversify their stablecoin portfolio and avoid the risk of crashing them.
Zunami took to Twitter to request users not to buy zETH and UZD at the moment.
Hack Traced Back to a Price Manipulation Scheme
What is Price Manipulation?
Price Manipulation is an act of manipulating market prices of tokens by continuously buying and selling the same asset in order to inflate its price artificially. This susceptibility is usually aggravated using flash loan attacks.
In this case, the attacker artificially inflated the pool's value by injecting a donation into it. Subsequently, the tokens under the attacker's control assumed an inflated and deceptive value. This facilitated the siphoning of $2.1 million worth of tokens from the project's reserves.
Merkle Science’s Flow of Funds Analysis
Summary of the Hack
2. Subsequently, a sequence of swap transactions was executed across both exploit transactions adding and removing liquidity to ultimately gain a sum amounting to approximately 1,179 ETH.
3. The exploit's target was the zStables pools within the Curve Finance protocol that were drained by manipulating the price of both Zunami Ether (zETH) and Zunami USD (UZD)
4. These proceeds were then transferred to the attacker's designated address which in turn was cashed out using Tornado Cash.
5. Price manipulation looms large as a recognized avenue of attack leading to devastating setbacks arising from business logic vulnerabilities.
6. In the case of the Zunami Protocol, an insecure code pattern was employed to calculate the token value, inadvertently exposing the protocol to this exploit.
MERKLE SCIENCE’S BLOCKCHAIN FORENSICS TOOL ‘TRACKER’ HELPS VISUALIZE THE FLOW OF FUNDS
Mitigation and Best Practices
- Protocols should incorporate additional layers of security, employing a minimum of two oracles for price validation. This measure would effectively reduce the impact of potential breaches and establish robust scrutiny of essential functions that are publicly accessible.
- Vigilantly monitor occurrences of fraudulent deposits and revoke transactions containing fraudulent deposits and transfers.
- Use accurate smart contract vulnerability scanners and auditors.