Zunami Protocol Exploited for Over $2 Million, Native Stablecoin (UZD) Plunges 99%

On the 13th of August, DeFi project Zunami Protocol was attacked by bad actors, resulting in an estimated loss of $2.1 million.

A decentralized revenue aggregator project allowing users to stake stablecoins for yield, the exploit of Zunami focused on its Curve pools, adding one more victim to the list of protocols affected by the recent attack on Curve Finance.

(Un)stablecoins

The exploit was first detected by blockchain security firm PeckShield, who immediately notified Zunami.

Hi @zunamiprotocol, we have detected an ongoing attack. Users are strongly suggested to take necessary actions.

Here is the encrypted hash: 2638ae2969ce932d61c3ca66f9b8a4a6c01c4d89bb2b34ddcf2c4145960f41c4. Actual hash will be released once the situation is stable.

— PeckShield Inc. (@peckshield) August 13, 2023

According to PeckShield, the attack – which netted the bad actor $2.1 million and counting – was carried out via price manipulation made possible by donating to the protocol.

A step-by-step post-mortem was also made available by fellow blockchain security firm Ironblocks.

As usual, the attack started with a flash loan provided by Zunami, after which the perpetrator added liquidity and carried out some trades at an inflated price before returning the funds borrowed and cashing out a cool $2 million in profits.

The exploit drained the protocols’ zStables pools on Curve Finance, manipulating the price of both Zunami Ether (zETH) and Zunami USD (UZD). The price manipulation of the latter knocked the so-called stablecoin far off its peg.

Currently, 1 UZD is worth $0.0098, according to CoinGecko.

Collateral Secure, Exploit Still Not Fixed

Shortly after PeckShield ed Zunami Protocol of the issue, the latter confirmed the attack. Furthermore, the team instructed platform users to avoid purchasing either of the affected tokens, warning them that the exploit had not yet been fixed.

“It appears that zStables have encountered an attack. The collateral remain secure, we delve into the ongoing investigation. Please do not buy zETH and UZD at the moment, their emission has been attacked.”

The news was immediately lampooned by members of the crypto community, who pointed to the protocol’s claim of a “battle-tested” depeg prevention .

well that was a lie😂😂😂😂🤣🤣 pic.twitter.com/DPLm0P0HtF

— Degem Finder (@DegemFinder) August 14, 2023

However, the collateral backing UZD is allegedly safe, meaning that users should get their funds back. However, according to Zunami’s website, one of the collateral holders is Curve, raising questions about the viability of those reserves.

“The $UZD is backed by the LP of the Zunami Protocol DAO Strategy, which proxies funds in most major DeFi protocols that have been extensively audited, including Curve, Convex & Stake DAO.”

For now, no further information has been provided by Zunami devs on how user losses can be recouped.