QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$2 127 000 USD
AUGUST 2023
GLOBAL
ZUNAMI PROTOCOL
DESCRIPTION OF EVENTS
Zunami Protocol is a decentralized finance (DeFi) platform designed to optimize yield generation through aggregated stablecoins and omnipools. At its core, Zunami issues aggregated stablecoins like zunUSD and zunETH, which are backed by diversified assets in yield-generating strategies across various DeFi protocols. These assets are held in omnipools, which combine liquidity and flexibility, enabling efficient, decentralized, and profitable collateral management.
The omnipools are structured to maximize returns—offering users an average APY of around 20%—by distributing capital across multiple DeFi platforms such as Curve Finance, Convex Finance, Stake DAO, FRAX Finance, and C.R.E.A.M. Finance. The collateral within these pools is managed through DAO voting, ensuring that strategy adjustments are community-driven. Zunami’s Algorithmic Peg Stabilizer (APS) further ensures that stablecoin prices remain steady, automatically rebalancing portfolios and compounding yields.
The ZUN token powers governance and liquidity functions within the ecosystem. Holders can vote on protocol decisions, manage liquidity-as-a-service (LaaS), influence token emissions, and earn rewards through staking. Notably, ZUN stakers act as an additional collateral layer, reinforcing stability and receiving 100% of the protocol’s revenue in return.
Security-wise, Zunami has emphasized decentralization with no proxy contracts, DAO-based risk management, and independent audits. Its open documentation and Gitbook provide full technical transparency. In sum, Zunami Protocol is an innovative approach to stablecoin yield farming—combining aggregation, decentralization, and automated strategy execution.
Unfortunately, the Zunami Protocol smart contract contained a vulnerability where the calculation of LP token value relied on manipulable inputs—specifically, inflated reward token prices within the totalHoldings function of certain strategies like MIMCurveStakeDao. This flaw could allow an attacker to use flash loans and strategic token donations to artificially boost the prices of tokens such as $SDT and $CRV, which were then used to overstate the protocol’s asset value.
The attack was enabled by a combination of collateral price manipulation and a flaw in the emissions mechanism. Specifically, the attacker used flashloans to artificially inflate the prices of SDT and CRV tokens, which were then used to distort the value calculations in Zunami’s omnipool strategies. This allowed the attacker to exploit the minting and redemption logic of UZD and zETH, draining liquidity from the UZD/FRAXBP and zETH/frxETH pools.
The attacker first donated SDT and CRV tokens to omnipool strategies, which falsely increased the calculated value of protocol holdings. Using this inflated valuation, they manipulated emissions of UZD and zETH, effectively minting them at a profit. The attacker then cashed out the proceeds (about 1,184 ETH or $2.1M) and laundered the funds through Tornado Cash, obscuring their trail. Key vulnerabilities included a flawed totalHoldings function and reliance on manipulated token prices for LP value calculations.
By caching the manipulated price at the right moment, the attacker was able to redeem significantly more assets than were legitimately backed by real value. This price manipulation not only distorted the emission mechanics of the zStables (UZD and zETH), but also allowed the attacker to drain liquidity from Curve pools without immediately triggering conventional slippage or price protection mechanisms.
At the core of the vulnerability was a flaw in the way the protocol calculated the LP (Liquidity Provider) token price—specifically in the totalHoldings function used in strategies like MIMCurveStakeDao. The attackers were able to artificially inflate the price of assets such as SDT (Staked DAO Token) and its associated pricing feed (sdtPrice), misleading the protocol about the true value of the underlying collateral.
The second transaction, which yielded the most profit (~1,152 ETH), involved six coordinated steps. It began with large flash loans: 7 million USDT from Uniswap V3, 7 million USDC, and over 10,000 WETH from Balancer. These funds were used to add liquidity and manipulate token prices across various DeFi platforms. The attacker minted and swapped large volumes of LP tokens like gryFRAX and crvFRAX, eventually converting them into UZD and USDC, while simultaneously inflating SDT prices by conducting large swaps and donations into manipulated Curve pools.
The key manipulation occurred when the attacker cached artificially inflated prices using a function called cacheAssetPrice in the UZO contract. Since the balanceOf function in UZO relied on this cached price, the attacker’s holdings appeared significantly higher than they actually were. With this inflated balance, the attacker could redeem or swap tokens at manipulated values, effectively extracting unearned profit. Finally, they reversed the earlier manipulations, restoring normal pricing and leaving with the inflated UZD as profit. The attack reveals a dangerous combination of price oracle manipulation, flashloan abuse, and flawed on-chain accounting logic.
A technical walkthrough of one of the exploits was provided by BlockSecTeam:
Step 1: Borrow 7,000,000 USDT from the UniswapV3, 7,000,000 USDC and 10,011 WETH from the Balancer.
Step 2: Add liquidity in the CruyeFinance:Swap with 5,750,000 USDC and mint ~5,746,896 the gryFRAX, then swap.
~5,746,896 crvFRAX for ~4,082,046 UZD and 1,250,000 USDC for ~791,280 UZD in the Curve Step 3 [Price Manipulation]: Swap 71 WETH for ~55,981 SDT in the Curve, then donate all SOT (~55,598) into the.MIMSurvestakeRae
Step 4 {Price Manipulation): Swap 10,000 WETH for ~58,043 SOT and 7,000,000 USDT for ~2,154 WETH in the SushiSwap
Step 5: Cache the price snapshot in the UZO via the function cacheAssetPrice {the price cached has already been manipulated)
Note: Cause the function balanceOf in the UZO contract relies on the incorrect price in the cache, the balance of the ATTACKER is inflated now!
Step 6: Reverse all operations for manipulating the price of UZD and swap all UZD inflated to profit.
According to a post by Iron Blocks, the lost amount was 1,152 ETH, valued at $2,127,000 USD. Other sources regularly cite a figure of $2.1m USD.
Zunami Protocol reacted swiftly to the exploit. Within one hour of detecting the attack, the team halted all deposits and withdrawals to prevent further damage and protect remaining user funds. They quickly began analyzing the exploit and worked with security partners, such as BlockSec and SlowMist, to understand the technical root cause and confirm the scope of the damage.
Zunami publicly acknowledged the breach, assured users that the main omnipool collateral was safe, and committed to returning collateral to users based on pre-attack balances. The team also started developing Zunami V2, incorporating fixes for the vulnerabilities and scheduling a comprehensive audit with a leading security firm to prevent similar attacks in the future. Additionally, they announced a compensation process that would allow affected users to claim their share of collateral in stablecoins (USDT, USDC, DAI) within one to two weeks.
Zunami confirmed that the omnipool collateral is safe and will be returned to holders based on balances prior to the hack. A new version of the protocol, Zunami V2, is in development and will undergo a comprehensive audit. Compensation to users will be provided in USDT, USDC, or DAI within 1–2 weeks, and users will be able to manually claim their share from the contract.
According to the claims portal launched, "U[u]ers who were affected by the hack on the night of August 13-14 can now access UZD & zETH collateral for the block before the hack.". This became available on August 29th.
Zunami Protocol launched V2 and continues to operate, though they have been subject to another hack in May 2025.
Rekt - Zunami Protocol - Rekt II (Jun 13)
Zunami Protocl - Rekt (Jun 13)
Zunami Protocol - "It appears that zStables have encountered an attack. The collateral remain secure, we delve into the ongoing investigation." - Twitter/X (Jun 13)
PeckShiled - "Hi @zunamiprotocol, we have detected an ongoing attack. Users are strongly suggested to take necessary actions." - Twitter/X (Jun 13)
"Please do not buy zETH and UZD at the moment, their emission has been attacked." - Twitter/X (Jun 13)
zETH Attack Transaction - Etherscan (Jun 13)
UZD Attack Transaction - Etherscan (Jun 13)
BlockSecTeam - "@ZunamiProtocol was hacked, and the loss is over $2M. It is a price manipulation attack that dues to the flawed calculation of the LP price, i.e., within the totalHoldings function of strategies like MIMCurveStakeDao where sdt and sdtPrice were artificially inflated." - Twitter/X (Jun 13)
Zunami Protocol - "Dear community! Collateral refund for $UZD & $zETH holders for the block before the hack is available through the link: https://claim.zunami.io" - Twitter/X (Jun 13)
Zunami Claim Portal (Jun 13)
RektHQ - "Yesterday, @ZunamiProtocol lost $2.1M to a price manipulation attack. Keeping DeFi safe is a constant game of cat-and-mouse, one that can’t always be won... Who will be next to fall prey?" - Twitter/X (Jun 13)
Rekt HQ - "$500k vanished from @ZunamiProtocol in a May admin key exploit. Months of stagnant development & perfect timing may have paved the way. Team offered weak excuses, dismissed concerns, left users empty-handed. When emergency keys open doors, who's in control? Story in comments." - Twitter/X (Jun 13)
Zunami Protocol Homepage (Jun 11)
https://x.com/ZunamiProtocol/status/1696515513747423731 (Jul 2)
