SNEAK PEEK
- Zunami Protocol suffered a $2.1 million hack via price manipulation.
- Attackers exploited vulnerabilities using flash loans.
- Curve Finance faces recurring security challenges.
In a twist that no one saw coming, Zunami Protocol, the prominent DeFi yield farming aggregator, experienced a staggering $2.1 million loss from its Curve Finance liquidity pool. Moreover, the method employed was all too familiar to those well-acquainted with blockchain dynamics.
1. the attacker took flashloan from balancer pic.twitter.com/h0zxuCPDxL
— Ironblocks (@Ironblocks_) August 14, 2023
According to Ironblocks, the attacker smartly leveraged a flash loan from Balancer. Consequently, they bolstered liquidity, drastically influencing the Zunami exchange’s price. After the substantial price shift, they promptly drained the liquidity.
Further, they reverted the flash loan with the revised price, pocketing a hefty 1,152 ETH. Hence, as Ironblocks briefly put it, this was a “classic price manipulation.” Additionally, PeckShield, another blockchain analysis firm, quickly detected and announced the attack.
Hi @ZunamiProtocol Today’s hack leads to >$2.1m loss and there are two hack txs involved:
– tx1: https://t.co/jsOmPT62mk
– tx2: https://t.co/u7YOvoS0R9It is a price manipulation issue, which can be exploited by donation to incorrectly calculate the price as shown in the… https://t.co/yqwMVy0pCA pic.twitter.com/OfrDni7KtE
— PeckShield Inc. (@peckshield) August 14, 2023
Their analysis revealed two separate transactions involved in the hack, with the losses amounting to $2.1 million. In addition, they highlighted a critical vulnerability: price manipulation can lead to miscalculations in donation values.
Reacting promptly, Zunami advised its users to halt any acquisitions of zETH and UZD. The fallout from the hack was catastrophic. The Zunami USD stablecoin (UZD) saw its value virtually wiped out, plunging over 99%. Meanwhile, Zunami Ether (zETH) didn’t fare much better, dropping over 88% to a meager $206.
Please do not buy zETH and UZD at the moment, their emission has been attacked.
— Zunami Protocol (@ZunamiProtocol) August 14, 2023
However, the stolen funds didn’t remain visible for long. The attacker swiftly moved them through the coin mixer, Tornado Cash.
Besides Zunami, Curve Finance, too, has been grappling with security challenges. Their woes continue as they race against time to reclaim nearly $19 million, enticing whistleblowers with a tempting $1.8 million reward.
In conclusion, as DeFi platforms promise high returns, they must equally prioritize and reinforce security mechanisms. This incident serves as a stark reminder of the importance of proactive protection in the dynamic world of blockchain.