In a shocking turn of events, the Zunami Protocol, a prominent decentralized finance (DeFi) platform, has fallen victim to a devastating hack. Confirming the incident on Sunday, Zunami Protocol revealed that its liquidity pool on Curve Finance was targeted, resulting in a staggering loss of over $2.1 million. This alarming breach was brought to light by renowned blockchain security firms PeckShield and Ironblocks.
Known as a yield farming aggregator for stablecoin staking, Zunami Protocol maintained its primary "zStables" pool on Curve, a decentralized exchange (DEX) facilitating the seamless exchange of stablecoins within the Ethereum ecosystem.
Operating as a decentralized autonomous organization (DAO), Zunami Protocol had boasted about offering "the highest APY on the market" and proudly displayed $5 million in total value locked on its website. The cross-chain protocol aimed to empower users by enabling them to diversify their stablecoin portfolio and mitigate the risk associated with a single coin crash.
The attack employed a familiar strategy that has been observed by vigilant blockchain enthusiasts. Ironblocks shed light on the modus operandi, stating, "The attacker took a flash loan from balancer, then added liquidity to significantly alter the price and initiated trades on Zunami's exchange. Subsequently, the liquidity was removed, the price was manipulated, and the attacker traded back, returning the flash loan with a staggering 1,152 ETH profit."
It was a classic case of price manipulation, as concluded by Ironblocks. PeckShield, another blockchain analysis firm actively monitoring attacks on Curve, also detected the Zunami attack and promptly alerted the protocol via Twitter.
"The hack today has resulted in a loss exceeding $2.1 million, involving two separate hack transactions," PeckShield further explained. "This issue stems from price manipulation, which can be exploited by manipulating donations to incorrectly calculate the price."
Zunami Protocol swiftly responded on Twitter, acknowledging the incident. "It appears that zStables have encountered an attack. The collateral remains secure, and we are currently investigating the matter," they assured their users. "We advise against purchasing zETH and UZD at this time, as their emission has been compromised."
As a consequence of the hack, the value of both the Zunami USD stablecoin (UZD) and Zunami Ether (zETH) plummeted dramatically. UZD suffered a catastrophic collapse, losing over 99% of its value, while zETH experienced an 88% drop, plummeting to a mere $206.
To add to the complexity of the situation, the stolen funds have already been laundered through the controversial coin mixer, Tornado Cash, as reported by Zunami Protocol.
Curve Finance has been grappling with a series of attacks in recent weeks and is currently in pursuit of recovering approximately $19 million stolen by a hacker. In a bid to expedite the identification of the culprit, Curve Finance has even offered a substantial $1.8 million bounty for any information leading to the apprehension of the perpetrator.