Zunami Protocol's Liquidity Pool Attacked on Curve
The zStables pool (ZUSD, ZETH) of Zunami Protocol has been attacked on Curve, with estimated losses of around $2.1 million.
Attack Details:
- Confirmation: Zunami Protocol confirmed that its zStables pool on Curve Finance was compromised. Security firm PeckShield first reported the attack, estimating that over $2.1 million was stolen from Zunami's liquidity pool on Curve on the morning of 14/08.
Hi @ZunamiProtocol Today's hack leads to >$2.1m loss and there are two hack txs involved:
— PeckShield Inc. (@peckshield) August 14, 2023
- tx1: https://t.co/jsOmPT62mk
- tx2: https://t.co/u7YOvoS0R9
It is a price manipulation issue, which can be exploited by donation to incorrectly calculate the price as shown in the… https://t.co/yqwMVy0pCA pic.twitter.com/OfrDni7KtE
- Attack Method: The initial analysis suggests that the hacker used a flash loan attack to manipulate the prices of Zunami’s zETH and UZD, siphoning off the funds.
Zunami's Response:
- Assurance: Zunami stated that collateral in other pools remains safe and advised users not to buy zETH and UZD at this time as the team continues to investigate.
It appears that zStables have encountered an attack. The collateral remain secure, we delve into the ongoing investigation.
— Zunami Protocol (@ZunamiProtocol) August 13, 2023
- Price Impact: The prices of zETH and UZD have been falling sharply following the attack.
Hi @zunamiprotocol, we have detected an ongoing attack. Users are strongly suggested to take necessary actions.
— PeckShield Inc. (@peckshield) August 13, 2023
Here is the encrypted hash: 2638ae2969ce932d61c3ca66f9b8a4a6c01c4d89bb2b34ddcf2c4145960f41c4. Actual hash will be released once the situation is stable.
Protocol Overview:
- Zunami Protocol: A yield aggregator that allows users to stake stablecoins to earn passive income. The largest stablecoin pools on the platform are hosted on Curve.
- Founder’s Statement: The founder of Curve confirmed that this was an isolated flash loan attack and not related to the Vyper vulnerability hack on 31/07, which resulted in losses of up to $52 million. Curve Finance has since recovered 70% of the stolen funds as of 12/08.
Related Incidents:
- Recent Attacks: On 05/08, the CRV-ETH pool on Curve was also targeted by a flash loan attack but was thwarted by white hat hackers.
- Investments and Support:
- Binance Labs: Recently invested $5 million into Curve Finance’s CRV token and supported its development on the BNB Chain.
- Aave: Approved a proposal to purchase $2 million worth of CRV tokens OTC, following similar buyback agreements from Curve’s founder Michael Egorov.
The attack on Zunami Protocol's liquidity pool on Curve highlights the ongoing vulnerabilities within the DeFi space. Despite recent security incidents, platforms like Curve are receiving significant support and investments to enhance their resilience and continue their development.
