A price manipulation hack causes Zunami protocol to lose $2.1M

• Zunami Protocol has lost $2.1 million due to a flash loan hack that manipulated prices.
• The hacker used a flash loan to inject liquidity.
• The attacker made 1,152 ETH in the process.

Zunami Protocol, a leading player in the decentralized finance (DeFi) industry, has suffered a serious setback after a security breach resulted in a loss of more than $2.1 million.

The platform’s Curve Finance-hosted liquidity pool was the target of the attack, which was disclosed by blockchain security companies PeckShield and Ironblocks.

Hi @zunamiprotocol, we have detected an ongoing attack. Users are strongly suggested to take necessary actions.

Here is the encrypted hash: 2638ae2969ce932d61c3ca66f9b8a4a6c01c4d89bb2b34ddcf2c4145960f41c4. Actual hash will be released once the situation is stable.

— PeckShield Inc. (@peckshield) August 13, 2023

How the Zunami hack was carried out

The Zunami Protocol, which mostly operates through the “zStables” pool on the Curve network, enables decentralized exchange (DEX) services for stablecoins within the Ethereum ecosystem. By enabling users to diversify their stablecoin holdings, the protocol attempts to lower the risk associated with the eventual demise of any given stablecoin.

According to Ironblocks, the attacker initiated the attack by leveraging a flash loan from the “balancer.”

This loan allowed the hacker(s) to inject liquidity into the system, allowing them to considerably manipulate the price. The attacker then went ahead to trade on the exchange with the newly created liquidity. Afterwards, they manipulated the price once more and withdrew the funds and returned the flash loan, making a profit of 1,152 ether (ETH) in the process.

Effect on Zunami native assets

The hack considerably impacted the prices of Zunami’s native assets. Firstly, the Zunami USD stablecoin (UZD) declined by over 98%. Secondly, the Zunami Ether (zETH) dropped by over 85%, settling at $278.

Adding to the complexity of the hack, the stolen funds were channelled through Tornado Cash, a controversial crypto-mixing service platform.