- DeFi protocol Zunami has suffered a price manipulation attack that cost it over $2 million, according to blockchain security firm PeckShield
- The attack took place on the protocol’s liquidity pools on Curve Finance
- The attacker targeted Zunami’s stablecoin pools
Malicious actors in the DeFi world continue to exploit weaknesses in DeFi platforms with Zunami Protocol being among the latest victims losing over $2 million in a price manipulation scheme. According to blockchain intelligence firms PeckShield and Ironblocks, the attacker targeted the protocol’s stablecoin pools on Curve Finance which also recently lost over $60 million in a hack. Zunami has acknowledged the attack and warned its users against interacting with its ETH pool or zETH.
Deposit and Withdraw Process Nets Attacker Over 1,150 ETH
According to an investigation by Ironblocks, the malicious actor took a loan on Balancer and used the funds to add liquidity on Zunami, something that jolted the price upwards. He later withdrew his funds to repay the loan, crashing the price in the process.
1. the attacker took flashloan from balancer pic.twitter.com/FJPqkQdH3G
— Ironblocks (@Ironblocks_) August 13, 2023
The price manipulation scheme netted him over 1,150 ETH after repaying the loan. PeckShield also reached a similar conclusion and revealed the two transactions involved, adding that the transactions were meant to make the protocol “incorrectly calculate the price.”
Zunami has however disclosed that “the collateral remains secure,” noting that it has started investigating the incident that caused its UZD and zETH tokens’ price to tumble by between 88% and 99%.
Please do not buy zETH and UZD at the moment, their emission has been attacked.
— Zunami Protocol (@ZunamiProtocol) August 14, 2023
No Deal, Yet
The attacker has already moved the funds through coin mixing service Tornado Cash, a suggestion they intend to keep the illicit funds. Zunami is yet to announce whether they’ll engage the attacker to strike a deal, which has been a growing trend in the web3 world.
Here comes the flow of stolen funds, which have been washed via @TornadoCash pic.twitter.com/SHSajq4fBO
— PeckShieldAlert (@PeckShieldAlert) August 14, 2023
Curve Finance, for example, partnered with other Vyper attack victims to offer a $7 million bug bounty, a move that saw the platforms recover over 75% of the stolen funds. Curve Finance recently promised to reimburse all affected users.
With the Zunami attacker having washed the funds through Tornado Cash, it lowers the chances of the DeFi protocol recovering the funds.