The Zunami Protocol, a decentralized finance (DeFi) platform, confirmed Sunday that its liquidity pool at Curve Finance was attacked, leading to the loss of more than $2.1 million. The hack was reported by blockchain security firms PeckShield and Ironblocks.
The Zunami Protocol is a harvest aggregator for stablecoin staking, and maintains Curve’s main “zStables” pool, which allows the decentralized exchange (DEX) of stablecoins within Ethereum.
Zunami, managed as a decentralized autonomous organization (DAO), promises “the highest APY in the market” and declares a $5 million total amount locked on its website. The cross-chain protocol claims to allow users to “diversify their stablecoin portfolio and avoid the risk of one of them crashing.”
The scheme used in the attack is familiar to blockchain watchers.
“Taken by the attacker [a] flash loan from [the] balancer, then he added liquidity is he [would] able to change the price significantly and started trading on Zunami’s exchange,” Ironblocks MEAN. “Then he took the liquidity and changed the price, then he sold it again [returned] the flash loan and got 1,152 ETH himself.
Fellow blockchain analysis firm PeckShield, which tracks curve attackalso noticed the Zunami attack and protocol is announced on Twitter.
hi @zunamiprotocol, we noticed an ongoing attack. Users are strongly advised to take the necessary actions.
Here is the encrypted hash: 2638ae2969ce932d61c3ca66f9b8a4a6c01c4d89bb2b34ddcf2c4145960f41c4. The actual hash will be released when the situation is stable.
“The hack has now led to more than $2.1 million in losses and there are two hack transactions involved,” Peckshield explained in a follow up. “This is an issue of price manipulation, which can be exploited by donation to miscalculate the price.”
“It appears that zStables encountered an attack. The collateral remains safe, we are investigating the ongoing investigation,” Zunami posted on Twitter a few moments ago. “Please do not buy zETH and UZD at the moment, their emission is under attack.”
The price of both Zunami USD stablecoin (UZD) and Zunami Ether (zETH) fell sharply due to the hack, with the former collapsing completely—more than 99%—and the latter plunging 88% to $206.
Zunami USD Price Chart (UZD) by CoinGecko.
The funds have been laundered through the controversial coin mixer Tornado Cash, the company reported.
Curve Finance has struggled with multiple attacks in recent weeks, and is still trying to recover about $19 million stolen by a hacker—and has put up a $1.8 million bounty for information that leads to the identity of made
Stay on top of crypto news, getting daily updates in your inbox.
