Zunami Protocol recently confirmed a price manipulation attack costing the platform over 2.1 million dollars. The DeFi protocol stated that its LP (liquidity pool) on Curve Finance was attacked this weekend. Ironblocks and PeckShield, two blockchain security firms, were the first to report the attack.
As a yield farming aggregator, Zunami Protocol deals with stablecoin staking. Its primary use case is maintaining the zStables pool over Curve. It circulates the DEXs (decentralized exchanges) of stablecoins across Ethereum.
The recent attack shook the community since Zunami has been promising the highest APY as a DAO (decentralized autonomous organization). The protocol even managed to reach over 5 million dollars in TVL (total value locked).
Allowing users to diversify their stablecoin portfolio while avoiding any crashing risk was another one of Zunami’s prevalent promises. However, the price manipulation attack has put a massive dent in the platform’s reputation.
According to a recent report by Ironblocks, the attack on the Zunami Protocol was a familiar one. It started with the attacker taking a flash loan from the balancer. Then, the attacker added liquidity to change the price massively.
Afterward, the attacker started trading in Zunami’s exchange. The liquidity was then removed, which changed the price. The attacker then traded back and returned the flash loan to get 1,1152 ETH. This was a classic price manipulation attack, concluded Ironblocks.
PeckShield was also quick to detect the attack and warn Zunami about it on Twitter/X. The blockchain security firm stated that the hack led to a loss of over 2 million dollars. The attack included two unethical transactions as part of a price manipulation ploy.
As expected, the news plummeted the price of Zunami Ether and Zunami USD stablecoin. While UZD lost 99% value, zETH lost 88% value. Seeing how Tornado Cash has already washed the funds, it will be difficult to track the attacker now.
Curve Finance has been struggling with attacks for some time now. The platform is still trying to recover around 19 million dollars from an attacker. A bounty of 1.8 million dollars has been put out for anyone sharing any information that leads to the attacker’s identity.